Penetration testing, more commonly called pentesting, is the practice of finding holes that could be exploited in an application, network or system with the goal of detecting security vulnerabilities that a hacker could use against it. Pentesting is used to detect three things: how the system reacts to an attack, which weak spots exist that could be breached, if any, and what data could be stolen from an active system.
What’s the Point of Pentesting?
Don’t confuse penetration testing with simply vulnerability scanning or security assessments – it’s those things plus more. Pentesting helps find some of the most complicated attack vectors across systems, finding vulnerabilities that tools and techniques used during development are unable to detect, as they are testing single systems, not yet embedded in the organization’s wider network. Pentesting is also often used after an intrusion to detect the vectors used by the attackers to recreate the attack and prevent it from happening again.
Pentesting is a major component of many kinds of security audits, including the PCI-DSS regulation, which requires annual pentests on active systems that handle or hold payment information. Pentesters will use a mix of manual and automated testing, using a vast array of tools, some of which we recently covered in our post on Ethical Hacking.
Because of the dynamic nature of the security world – as well as the changing nature of hackers, staying up to date on the latest techniques, tools, and exploits is an essential part of all security professionals lives, including pentesting. At a time when application security is still so new, with brand new risks like the Internet of Things and containers and the cloud continuously popping up, it’s critical that pentesters stay in the know and be a part of the community.
And with that, we give you the 13 most popular pentesting blogs that will keep you updated and motivate your white-hat endeavors. Many of them have been in the pentesting business for years, if not decades, and still others have been blogging for nearly as long, so all of them have some powerful reasons that you should follow and learn from them. Did we miss your favorite blog? Let us know in the comments below!
Top Pentesting Blogs and Resources for all your Pentesting Needs:
The blog written by the Attack Research team is one of the best sources of information for pentesters, with posts on a wide array of pentesting techniques, discoveries, news, etc. The company also holds training sessions at Black Hat.
Active since 2012, PentestGeek is a blog dedicated to sharing the experiences of the writers and ethical hacking experts who run the blog. It’s a great peek into the everyday jobs of experienced pentesters in high-profile companies.
What began as an IRC channel in 1999 has grown into a regularly updated blog discussing the latest ethical hacking/pentesting news, tools, and techniques with over 30,000 subscribers.
This blog run by Tim Tomes (@LaNMaSteR53) with the tagline ‘a hacker looking out for users by educating,’ does exactly that. Tim details his discoveries found while hacking and blogs about topics ranging from Linux Shells to DEFCON badge hacking to AppSec hacks.
A security researcher and white hat hacker, Marco’s also big on teaching, and has held various professorships and researcher roles in his decade of experience. His blog is an extension of his knowledge, and Marco writes extensively about fascinating techniques he’s discovered over time.
Written by Daniel Compton (@commonexploits), a professional pentester for nearly two decades, Common Exploits aims to share Daniel’s expertise and news on tools, exploits and other areas of penetration testing. Daniel often shares his own scripts for various pentesting commands and exploits and is a great resource for upping your ethical hacking game.
SANS is an amazing resource for all AppSec professionals, and they offer a dedicated pentesting blog for the community. The blog is great for finding checklists for various pentesting tasks, challenges to test your skills, and posts about specific pentesting tools and techniques.
Written by the team that runs Trails of Bits, a security firm with expertise in both defensive and offensive security techniques, the blog is a collection of their shared knowledge in helping organizations improve and/or repair their security practices and processes.
We’ve featured Robin’s blog before, but Digininja is a need-to-know resource for pentesters, as well. With a focus on Metasploit, Wifi and Networking, DigiNinja is a must-read for anyone in the security industry.
A great way to stay up to date with the latest news in pentesting is to join groups and follow pentesting thought leaders on your favorite social media sites. The Ethical Hacking group is just one of many communities to join and contribute your own pentesting resources.
A great resource for everything related to penetration testing and ethical hacking, Ehacking.net is another must-have in your bookmarks bar.
There’s still a big portion of the InfoSec community who rely on email lists to get their news, as antiquated as it may seem. Seclists.org, run by the Nmap Security Scanner people, offers an outstanding, comprehensive list of the most popular mailing lists, if you so desire. There’s a unique list for everyone, including ‘noobies’ and, of course, pentesters.
If you’re ever searching for a specific type of tool, chances are you’ll find what you’re looking for on Kitploit’s site. It’s a goldmine for information on pentesting tools, so make sure to keep it in your bookmarks.
Learn more about the value of penetration testing versus static code analysis in our comparison blog post here!