Talking about computer security in this digital age and not thinking about systems outside the company’s private network, the internet, cloud solutions, apps and others is a mistake. We must think and try to have safe environments and the least amount of vulnerabilities possible.

In these environments there is also testing, and it is important to have it on the work table.

Penetration testing (also called “pen testing”) is a practice of testing a computer system, network, or web application to find vulnerabilities that an attacker could exploit.

Penetration testing can be automated with software applications, or it can be done manually. Either way, the process includes gathering information about the target prior to testing (reconnaissance), identifying potential entry points, attempts to break in (either virtually or live), and reporting the results.

The main goal of penetration testing is to determine security weaknesses. A penetration test can also be used to test compliance with an organization’s security policy, the security awareness of its employees, and the organization’s ability to identify and respond to security incidents.

Penetration tests are sometimes called “white hat attacks” because in such a test the good guys are trying to break in.

Penetration testing strategies are:

Goal-oriented testing
These selective tests are carried out jointly by the organization’s IT team and the penetration testing team. It is sometimes called a “lights on” approach because anyone can see the exam being performed.

External verification
This type of penetration test targets company servers or devices that are externally visible, including domain name servers (DNS), email servers, web servers, or firewalls. The goal is to find out if an external attacker can get in and how far they can go once they have gained access.

Internal tests
This test simulates an internal attack behind the firewall by an authorized user, with standard access privileges. This type of test is useful for estimating the amount of damage a disgruntled employee could cause.

Blind tests
A blind test strategy simulates the actions and procedures of a real attacker, severely limiting the information given in advance to the person or team performing the test. Usually they can only be given the name of the company. Because this type of test can require a considerable amount of time for recognition, it can be expensive.

Double blind tests
Double-blind testing takes blind testing one step further. In this type of penetration testing, only one or two people in the organization may be aware that a test is taking place. Double-blind testing can be useful for testing an organization’s security monitoring and incident identification and response procedures.

Thus, the tests on the code should not be practiced only on the operation, but also to identify vulnerabilities and to be able to correct those gaps.

SES has the vision of safeguarding the products it develops knowing that they are sometimes essential or core products for our clients.