Penetration testing goes far beyond running a trivial Linux script, to detect security holes.

 

Rather, it exists in many layers and depths: code analysis, vulnerability exploitation, social engineering, detection of logical errors, supply chain design errors and beyond.

​

Tailor-made penetration testing is the ultimate way to test your true security level. However, the testing methodology must be designed and then executed well... 

​

Let's take for example Secure development. In such a case, penetration testing may consists of static and dynamic code analysis. Automated tools can be used for code analysis as well as controls for the code written. White sourcing can be used to detect backdoors as well as to validate the proper use of 3rd party code or open-source libraries. 

​

Even trivial things such as receiving a notification upon the change of a license agreement of 3rd party code embedded, could make a world of difference. 

​

Ultimately, PenTest is about having a flow and controls in place, which must be accompanied by a human who’d investigate the reports, detect logical errors which automated vulnerability scans can’t, and re-evaluate methodology and processes as needed.