What is a pentest?
A penetration test, also known as pentest, is an assessment of an application or computer network with the goal of finding security vulnerabilities. Ideally, a pentester can find these vulnerabilities before hackers do, giving you a chance to fix them and keep your applications and networks secure.
Why is it important?
The most obvious value of a pentest is finding your application & network vulnerabilities before a hacker does. Pentests offer a different perspective of your security - kind of like getting somebody else to proofread your writing. In addition, many compliance frameworks, such as PCI-DSS, and security best practices require routine pentesting in order for you to meet and maintain compliance.
How does it work?
Pentesters, also known as ethical hackers or white hat hackers, do all the same things a malicious hacker would do, like looking for ways into your network or ways to steal your company’s data. Instead of exploiting these vulnerabilities, however, the pentester submits a report of their findings to you.
This pentest report contains a list of identified vulnerabilities (weaknesses), details of the risks they pose (e.g., this vulnerability could be used to steal your company data), and recommendations for how you can fix these vulnerabilities to prevent them from being exploited.
Fixes for vulnerabilities may include technical changes like implementing stronger authentication or restricting network traffic with firewalls, as well as administrative changes such as requiring your developers to use specific software libraries or versions that do not contain vulnerabilities.