What is a Penetration Test, and Does Your Website Need One?

Nearly 40% of Americans frequently worry about their personal information getting stolen by computer hackers, a recent Gallup poll revealed. It’s no wonder: Cyber attacks and data breaches regularly make news headlines. How easy would it be for criminals to hack your website and steal sensitive information about you and your customers? Penetration testing could help you find out.

What is a Penetration Test?

Penetration testing — pen testing, for short — is sometimes called ethical hacking or white hat hacking. It can help you find and fix security flaws in your website and web applications before criminal hackers get a hold of sensitive data.

Here’s how it works: With your permission, a cyber-security pro simulates a real-world cyber-attack on your website. They use the same tools and techniques as the bad guys to look for vulnerabilities in your site — and try to exploit them.

Your tester will share their findings with you. You can use this information to plug up any security holes in your website.

Who Performs a Penetration Test?

Ethical hackers known as pen testers perform penetration tests. Some pen testers have formal training in the subject, while others are largely self-taught. In either case, they may have certifications to back up their skills. Some examples include EC-Council's Certified Ethical Hacker (CEH) or CompTIA's PenTest+.

What are the Types of Penetration Tests?

There are several different types of penetration tests. Some tests you may want to use include:

• External pen tests. These tests simulate cyber-attacks that come from outside your business. They help you find security flaws that can be accessed from the public internet.
• Internal pen tests. These tests mimic attacks that come from inside your business. They help you understand weaknesses that employees or other insiders could exploit.
• Blind pen tests. Also called closed-box pen tests, your ethical hackers start with just the name of your company. This kind of test can help you understand how easy it is for hackers to learn about your systems.
• Double-blind pen tests. Also known as covert pen tests, these tests are a real-life drill for your IT staff. They can help you gauge your team’s ability to handle a real hacking attempt.

What are Common Website Vulnerabilities to Look Out For?

Ethical hackers may look for many types of security flaws when they perform pen testing. To give you an idea of what they might test for, here are the five most common web application vulnerabilities, according to the Open Web Application Security Project:

• Broken access control. This means users have permissions they shouldn’t. For example, information that should only be shown to authorized employees is available to anyone.
• Cryptographic failures. This means your sensitive data isn’t properly stored and transmitted. Passwords, credit card numbers, and personal information could be exposed.
• Injection. Injection is a vulnerability that lets an attacker “inject” malicious code. They could use this to get access to sensitive data.
• Insecure design. Design flaws in your website could leave your business vulnerable. This could include code that hasn’t been tested against known hacking methods.
• Security misconfiguration. Business software may be highly configurable. But some customizations, like turning on unnecessary features or turning off security features, could let attackers compromise your site.

How Vulnerable is Your Website?

Many websites are vulnerable to hackers. Sites that run on content management system platforms like Drupal or WordPress tend to be targeted more often. That’s partly because they’re so prevalent, but also because their code is publicly accessible. And if you’re customized your website with third-party plugins or themes, some of those add-ons could have security flaws.

Does My Website Need a Penetration Test?

After learning about pen testing, you may wonder: Does my business need a penetration test? In some cases, pen testing may be mandatory to comply with privacy laws and regulations. But even if pen testing isn’t a legal requirement for your business, you may choose to do it to help protect your customers’ private information.

Protect Your Business With Penetration Testing

It’s time to uncover potential weak spots in your company’s website. We make it easy — Find the perfect pen tester today.

‍