Introduction to penetration testing for developers

Developers take a lot of pride in their work. We strive to consistently deliver the best code and avoid dangerous edge-cases. Which is why we aim to detect and remediate bugs before they ship through testing and code reviews.

However, when it comes to security, sometimes we fall flat. When a team lacks the proper security tooling, it can stunt development, create extra work, and deliver dangerous security defects to clients and end-users.

Fortunately, penetration testers (pentesters) have the tools and processes to make our lives easier and our applications more secure. In this post, we're going to take a look at what penetration testing is, what tools are used for it, and why it's a great skill for developers to learn.

What is penetration testing?

Penetration testing is the practice of ethically breaking into systems from an external boundary to identify security weaknesses and vulnerabilities — effectively simulating an attacker’s attempts to compromise a system or entity. I always say that “vulnerabilities exist on the perimeter of functionality,” meaning that vulnerabilities are sometimes the result of pushing the boundaries of what a program is capable of doing.

Studying the design, intended use case, and program implementation gives a penetration tester the necessary information to perform a thorough assessment. These engagements aim to find vulnerabilities, prove that they can exploit them, and then report them to the client. Since penetration testing usually happens near the end of an SDLC, it is often the last opportunity to catch vulnerabilities before they are shipped. When combined with a robust DevSecOpsprogram, penetration testing adds another layer of detection to supplement the efforts already in place.

What do penetration testers do?

By toying with the perimeter of functionality, pentesters can determine paths to exploitation and offer remediation guidance. This has proven to be an excellent way to detect complex defects at the core of your application.

Although code scanners find many vulnerabilities, they often miss the more complex ones. Vulnerabilities that are intrinsic to the software's functionality or stem from business logic as opposed to poor coding principles require the deeper detection capabilities of a pen test. Cases for misuse and abuse can also be uncovered during these exercises, providing an extra layer of preventative protection for the subject of the engagement.

What’s in a pentesters toolkit?

There are many different methodologies, toolkits, frameworks, and scripts that a pentester may employ — such as fuzzers, exploit kits, scanners, and simple document templates. In an upcoming article, we’ll discuss some specific tools that developers can utilize to run their own pentests.

Why should developers care about pentesting?

Learning to conduct pentests is an extremely valuable skill. A developer can see firsthand what security researchers and bad actors could accomplish in the event of a security incident — which is perfect motivation to prioritize secure coding practices.

For a familiar point of comparison, we can examine the idea of mutation-based testing. When you perform mutation-based testing, you hope that your code passes tests even with minor changes. This helps identify weak tests, weak code, and how your program will handle errors. It is similar to the exploratory testing pentesters employ. Pentesters will modify their attack patterns to match the target, achieve better results, and see what they can get the program to accept. Testing features this way helps you understand the inherent risks of your product.

Start building pentesting skills

Penetration testing is a great way to determine the risks associated with a piece of software. By acquiring this extremely in-demand skill, developers can write better code, protect their company from potential security incidents , and develop a deeper understanding of secure development. In upcoming posts we’ll discuss specific pentest tools and methodologies, in addition to finding and remediating these looming threats with the resources you already have available, so stay tuned!