Enter the characters shown in the image.

You are here

External and Internal Penetration Testing

External and Internal Penetration Testing

Lets start by defining Penetration Testing. A penetration test, or a pentest, is a simulation of a hacker attack on a network, system, application or website. It is used to discover existing vulnerabilities and weaknesses before hackers find and exploit them.

The pentesting helps you validate, improve and ensure efficiency and effectiveness of your information security systems.

Pentests discover vulnerabilities, and in some cases even include personalized instructions on how to fix discovered vulnerabilities and weaknesses in their reports.


Penetration Testing Standards

here are some of the main standards of penetration testing:

  • LPT - Licensed Penetration Tester methodology from EC-Council
  • OSTTMM - Open Source Security Testing Methodology Manual
  • OWASP - Open Web Application Security Project
  • ISSAF - Information Systems Security Assessment Framework
  • WASC-TC - Web Application Security Consortium Threat Classification
  • PTF - Penetration Testing Framework
  • OISSG - Information Systems Security Assessment Framework
  • NIST SP800-115  -Technical Guide to Information Security Testing and Assessment

In some cases penetration testing include risk assessment methodology, that can be compatible with the variety of modern compliance standards and various federal regulations, such as:

  • PCI DSS (Payment Card Industry Data Security Standard)
  • ISO-IEC 27001 (Information Security Management Systems)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • SOX (Sarbanes-Oxley Act)
  • GLBA (Gramm–Leach–Bliley Act)
  • FISMA (Federal Information Security Management Act)


Penetration Testing Methodologies

A penetration test can be performed by one of these three methodologies:

  • Black Box Penetration Test

During the Black Box pentest client does not give any internal technical or network information to the auditors. Therefore, the Black Box approach requires auditors to spend some time on network exploration and reconnaissance in order to craft efficient attack plan. This approach simulates the most realistic attack scenario, and is perfectly suited for companies who want to know what a group of external hackers may do within a limited period of time.

  • Gray Box Penetration Test

Differently from the Black Box, the Grey Box approach usually does not require auditors to spend a lot of time on network exploration. Internal information, such as technical documentation or credentials of privileged users, may be given to the auditors in order to simulate more sophisticated attack when hackers have already obtained some sensitive information. For the Grey Box pentest the client may also specify which attack methodologies on which systems he wants or he doesn't want to use. Grey Box is the most frequent approach that provides comprehensive security testing within a relatively short period of time compared to White Box.

  • White Box Penetration Test

White Box pentest is the most "collaborative" approach, when client provides auditors with all information about his network architecture, user credentials and even source codes in some cases. White Box is rather an audit than a penetration test. It is the most comprehensive and complete approach to security testing, however it requires a lot of time as well. White Box is advised to companies who want to make sure that every single line of code in their defense perimeter will be scrupulously verified.

There are two main types of penetration tests:

External Penetration Test

  • Testing of frontal servers applications
  • Testing of websites and web applications
  • Firewall-IDS-IPS bypass testing
  • Testing of VOIP infrastructure

Internal Penetration Test

  • Malicious employee activity simulation
  • Privilege escalation attack simulation
  • Security testing of wireless networks
  • Social Engineering attack simulation
  • Phishing attack simulation



About The Author: 




Security Testing

List mode
Table mode
Icons mode

Displaying 1 - 17 of 17

Title Testing Objectives Since Price Quotes Ping
Parasoft SOAtest API testing, Banking Process validation, DataBase testing, Interoperability testing, Stress Testing, Message testing, Performance Analysis, Protocol Testing, Security Testing, SOA testing, Web Monitoring, Web testing, Cross-Browser testing 2,002 Call manufacturer for more details Active
Fiddler Load Capabilities, Performance Analysis, Security Testing, Web testing, Cross-Browser testing 2,003 Free use Active
Fortify Static Code Analyzer Security Testing, Code Analysis, Static Code Analysis 2,003 Call Manufacturer for details Active
IBM Security AppScan Security Testing, Mobile Testing, Web testing 1,991 IBM Security AppScan Source for Analysis: $21500, IBM Security AppScan Source for Automation: $47,800 Active
CodeSonar Security Testing, Coding Standards verfication, Code Tracability 2,007 Active
Httest Security Testing, Network testing, SOA testing, Web testing, Server testing 2,005 Free Use 2014
SoapSonar Security Testing, SOA testing, Web testing, API testing 2,010 July 2015: Personal Edition (Free) Active
WireShark Network testing, Protocol Testing, Security Testing 1,998 Free use Active
Klocwork Security Testing, Code Analysis, Static Code Analysis, Coding Standards verfication, Code Review 2,001 Active
AppVerify Security Testing, SAP Testing, Web testing, Java testing, Desktop testing, Image Based Testing 2,014 Active
TimeShiftX Security Testing 2,013 Active
Monkop Security Testing, Mobile Testing, Network testing, Performance Analysis, Metrics Analysis, Memory Analysis 2,014 Nov 2015: Solo - Free, Nov 2015: Basic - $90 / month / 5 Multi-Device executions per month , Nov 2015: Pro - $349 / month / 30 Multi-Device executions per month Active
Firing Range Security Testing, Web testing 2,014 Free use Active
Parasoft Development Testing Platform Security Testing, Data Flow Analysis, Code Analysis, Static Code Analysis, Code Review 1,996 Call Manufacturer for details Active
TestLab Application Life Cycle Tracking, Code Analysis, Code Coverage testing, Security Testing 2,012 Active
ImmuniWeb Application Logic Testing, Security Testing, OWASP Top10 Testing, Penetration testing, SANS-CWE Top25 2,008 2016: Special offer - $299 / project Active
Binary Static Analysis (SAST) Security Testing, Binary Static Analysis, Code Analysis, Static Code Analysis 2,007 Not Published Active


Testing tool manufacturers world-wide list
10Levels ABID CONSULTING AccelQ Accord Software ActiMind AdaCore
AdaLog AgileLoad AgileWay Agitar Algorismi ALL4TEC
Andreas Kleffel Android Apache Apica Apollo Systems
Applitools AppPerfect Appsee ApTest Assertible Assure
Atlassian AutoIt Consulti .. Automation Anyw .. Automation Cons .. Axosoft Aztaz Software
Backtrace I/O Badboy BlazeMeter Borvid BrowserStack BSQUARE
BStriker Intern .. CA Technologies Canonical Canoo Engineeri .. Catch Software CelestialTeapot
Chris Mallett Cleanscape ClicTest CloudQA Codeborne CodeCentrix
CodePlex projec .. Codoid Cogitek Compuware Configure IT Conflair
ConSol Core Services Coronys Ltd Countersoft CresTech Softwa .. CrossBrowserTes ..
Crosscheck Netw .. Crowdsourced Te .. Cucumber Ltd Cyara Cygnet Infotech DareBoost
Databene Datamatics Glob .. DevExpress DTM soft Dynatrace LLC EasyQA
Eclipse EkaTechserv Elvior Emmanuel Jorge Empirix EPAM Systems
Equafy Esterel Technol .. eXept Software .. Experitest Finaris Froglogic
FrontEndART Ltd GeneXus GitHub project gnoso Google Code Pro .. GrammaTech
Gurock Software HelpSystems HENIX Hewlett Packard .. Hexawise High-Tech Bridg ..
Hiptest Hitex IBM Rational imbus Shanghai Impetus Inflectra
informUp InTENSO - IT Ex .. Ipswitch Jamo Solutions Janova JAR Technologie ..
JBoss Developer jClarity JetBrains Jively jQuery foundati ..
JS Foundation Jspresso Kanoah KMS Technology Kualitee LDRA Limited
Litmus LoadFocus Loadster Perfor .. MarathonITE Marketcircle Marketcircle
Maveryx Meliora Ltd Micro Focus Sof .. Microsoft Mobile Labs Mobile1st
Mockaroo, LLC Monkop Mozila MSys Technologi .. Navicat NeoTys
Neowise Softwar .. NetCart NORIZZK.COM Novosync Mobili .. NRG Global NTT Resonant
OC Systems Odin Technology OpCord Oracle Orcanos Original Softwa ..
OW2 PANAYA Parasoft PassMark Patterson Consu .. Perfecto Mobile
Pivotal, Inc. Plutora Postman (API To .. PractiTest PrimaTest Process One
Programming Res .. Psoda PureLoad PushToTest Python Q-Assurance
QA Systems QACube QASymphony QAWorks QMetry Quali
Qualitia Softwa .. Quality First S .. Quotium RadView Softwar .. Ranorex RedLine13
Reflective Solu .. ReQtest RevDeBug Robotium Tech Rogue Wave Soft .. Rommana Softwar ..
RTTS Runscope Sandklef GNU La .. Sauce Labs Seapine Softwar ..
SeleniumHQ Sencha Sensiple Siemens PLM Sof .. SmartBear Softw .. SmarteSoft
SOASTA SoftLogica Softomotive Softsmith Solution-Soft SonarSource
Sourceforge Spirent Technol .. SQS Software Qu .. Square Stimulus Techno .. Swifting AB
Synopsys T-komp T-Plan TechExcel TechTalk Telerik By Prog ..
Tellurium Test Collab Test Goat Test Recon TestCaseLab Gm ..
TestCraft Techn .. Testenium TestingBot TestLodge Testmunk
Testomato TestOptimal TestPlant TestPro Testsigma Techn .. Testuff
The Core Bankin .. The MathWorks The Open Group Thoughtbot Thoughtworks Time Simulator Top-Q Trace Technolog .. TrendIC TRICENTIS
Tritusa Pty Ltd TWD Solutions P .. TypeMock Tyto Software Ubertesters UniTESK
Universal Test .. Usetrace Ltd Utrecht Univers .. Validata Group Vanamco AG Vector Software
Veracode Verifaya Corpor .. Verit VersionOne Vornex Inc. WcfStorm Soluti .. We Are Mammoth Web Performance .. Wintask Wireshark Found ..
Worksoft Xceptance XK72 Xpand IT XQual ZAPTEST
Zeenyx Software .. Zephyr Zeta Software zutubi pty

Theme by Danetsoft and Danang Probo Sayekti