Different types of penetration testing and its categories

This article covers different types of penetration testing and categories of penetration testing. The penetration testing types include network testing, web app testing, mobile app testing etc.

What is Penetration testing ?

The ethical hacking performed on the computer system, network or web application in order to find security vulnerabilities which can be exploited by hackers for malicious intentions. Penetration testing is performed by white hackers with permission from the organization.

It helps to overcome any potential threats to the organization's network and to ensure privacy of the data. Moreover it helps to protect the systems from black hackers having wrong desires.
Refer ethical hacking >> for more information and its benefits.

Different categories of penetration testing

The penetration tests can be categorized based on its functionality and coverage to the software or system or network under test. The categories of penetration testing are black box, white box and gray box. These depends on organization's test plans and security test cases.

Black box: In this penetration test, only IP address ranges are provided to test. Other parameters such as target operating system, server version, specific target details are not provided. For example, in web app penetration test, source code of web app is not provided to the tester.

White box: This test is beyond the black box test. In this penetration test, all the informations about actual target is available for testing. For example, in network test all the informations such as operating system, version, running applications are provided to the tester. In web app penetration testing, source code is provided. This is very useful as organizations are mainly concerned about leakage of information.

Gray box: As this is combination of both black box and white box testing, some informations are available with tester where as some are hidden. For example, in network test, organization provides running application names behind an IP address. At the same time, it does not disclose version of running services. In web app penetration testing, some extra informations e.g. back end server, databases, test accounts are provided.

Different types of penetration testing

Different types of penetration testing

There are many types of penetration tests. Following are the most common types used as shown in the figure above. Let us understand these different types of penetration testing performed to evaluate security robustness of a network or system of the organization.

Network penetration test : In this test, tester tests network environment for potential security threats or vulnerabilities. This can be categorized into two types viz. external and internal. In external test, tester can test public IP addressese where as in internal test, tester will become part of internal network and test it. In this testing, organization provides physical access as well as VPN access to the tester.

Web application penetration test : Now-a-days web application hosts and collects critical customers data such as credit or debit card numbers, usernames/passwords and so on. Hence it is essential to perform web app penetration testing.

Mobile application penetration test : This test has also become very essential today. This is due to the fact that all the organizations are developing and providing access access to their customers through mobile apps on android and iOS mobile phones. This test ensure that mobile apps are secure enough to protect personal informations of their clients while using mobile apps.

Social Engineering penetration test : This test verifies adherence of employees to security policies/practices defined by management of their organization. Example of such test is Phishing. In this test, tester purposely send out email asking employees to open unexpected attachment or requests to provide sensitive information or to visit unapproved website. This test is used to verify vulnerability of employees.

Physical penetration test : In this test, testers will be asked by the organization to physical perform tests on their security controls such as locks and RFID/NFC or other scanning mechanisms.



Testing related links

Web Application security testing tools
Software performance testing tutorial
Software testing tutorial

Difference between useful networking terminologies

Difference between OSI and TCPIP layers
Difference between TCP UDP
FTP vs HTTP
FTP vs SMTP
FTP vs TFTP
ARP vs RARP
NAT vs PAT
RIP vs OSPF
SLIP vs PPP
IMAP4 vs POP3
IPV4 vs IPV6
Difference between Internet and Intranet

RF and Wireless Terminologies