Penetration testing is one example of a bla c k box DAST (Dynamic Application/ An alysis S ecurity Test) . Providing no direct insight into the application sour ce code, p enetration testing involves software security experts trying to exploit application code either manually (by collecting system data, identifying vulnerabilities from it, and thinking like a bad actor to exploit them), or automatically (which is faster and more efficient, but is unable to apply the intuition of an aggressor!).
Although a traditional approach to software security, Pen testing remains a key component of the Secure Sofware Development Lifecycle (SSDL).
Results are distributed to stakeholders in the system, and developers address the vulnerabilities that have been exposed.
This proven, risk-based testing method usually provides accurate information, but is far from comprehensive. Hired professionals have finite levels of expertise and limited time both to study each particular assignment, and to complete their work in adherence with the deadlines organizations keen to get their products to market.
Unhappily, the effectiveness of any pen testing depends on the tester’s ability to think “outside the box”. This is a rapidly changing environment and it is inevitable that any pre-determined list of known exploits will be out of date almost as soon as it is generated, harming the effectiveness of the test regime.
Pen testing remains a useful technique, but for best results it should be viewed as part of the SSDLC toolkit (Figure 1) where it is used as a means to confirm the absence of vulnerabilities, rather than as a mechanism to remove them.
Figure 1: Pen testing within the Secure Software Development Lifecycle