Get started

Penetration testing ethical hacking and vulnerability assessments

• Software security testing and software stress testing basics

  In this excerpt from Ric Messier's book, learn why software security testing and stress testing are critical components of an enterprise infosec program. Continue Reading

• 3 tips for writing a quality penetration testing report

  Writing a penetration testing report might not be the most fun part of the job, but it's a critical component. These tips will help you write a good one. Continue Reading

• Put application security testing at the top of your do-now list

  It's time to take a new attitude toward application security. Learn what must be tested and the specific steps that will take your apps from vulnerable to fortified. Continue Reading

• Craft an effective application security testing process

  For many reasons, only about half of all web apps get proper security evaluation and testing. Here's how to fix that stat and better protect your organization's systems and data. Continue Reading

• Port Scan

  A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services -- each associated with a "well-known" port number -- the computer provides. Continue Reading

• Definitions to Get Started

  • Port Scan
  • application whitelisting
  • pen test (penetration testing)
  • honeypot (computing)

  • ethical hacker
  • vulnerability assessment (vulnerability analysis)
  • white hat
  • vulnerability disclosure

  View All Definitions

• Do you have the right set of penetration tester skills?

  Pen testing is more than just the fun of breaking into systems. Learn about the critical penetration tester skills potential candidates must master to become proficient in their career path.Continue Reading

• application whitelisting

  Application whitelisting is the practice of specifying an index of approved software applications or executable files that are permitted to be present and active on a computer system.Continue Reading

• CompTIA PenTest+ practice test questions to assess your knowledge

  Think you're ready to take the CompTIA PenTest+ certification exam? Test your skill set with some of the sample multiple-choice questions you may be facing.Continue Reading

• 6 different types of hackers, from black hat to red hat

  Black, white and grey hats are familiar to security pros, but as the spectrum evolves to include green, blue and red, things get muddled. Brush up on types of hackers, new and old.Continue Reading

• Penetration testing vs. red team: What's the difference?

  Is penetration testing the same as red team engagement? There are similarities, but they're not the same. Understand the differences to improve your organization's cyberdefenses.Continue Reading

• What are the benefits and challenges of cloud penetration testing?

  Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help inform cloud pen test strategies.Continue Reading

• How does AttackSurfaceMapper help with attack surface mapping?

  A new open source pen testing tool expedites attack surface mapping -- one of the most important aspects of any penetration testing engagement.Continue Reading

• How to build an enterprise penetration testing plan

  Simulating an attack against your network is one of the best ways to remediate security holes before the bad guys find them. Here, learn penetration testing basics and how it can help keep your enterprise safe.Continue Reading

• Wireshark tutorial: How to use Wireshark to sniff network traffic

  Learn how to use the Wireshark packet analyzer to monitor network traffic, as well as how to use the Wireshark packet sniffer for network traffic analysis and inspection.Continue Reading

• Words to go: Email phishing security

  IT teams must take precautionary measures to address cybersecurity awareness, particularly when it comes to email. Refer to this list of email security terms to mitigate risks.Continue Reading

• Mimikatz tutorial: How it hacks Windows passwords, credentials

  In this Mimikatz tutorial, learn about the password and credential dumping program, where you can acquire it and how easy it makes it to compromise system passwords.Continue Reading

• pen test (penetration testing)

  Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.Continue Reading

• honeypot (computing)

  A honeypot is a network-attached system set up as a decoy to lure cyberattackers and to detect, deflect or study hacking attempts in order to gain unauthorized access to information systems.Continue Reading

• ethical hacker

  An ethical hacker, also referred to as a white hat hacker, is an information security expert who systematically attempts to penetrate a computer system, network, application or other computing resource on behalf of its owners -- and with their ...Continue Reading

• vulnerability assessment (vulnerability analysis)

  A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary ...Continue Reading

• white hat

  A white hat hacker is an individual who uses hacking skills to identify security vulnerabilities in hardware, software or networks.Continue Reading

• Get great results from authenticated vulnerability scanning

  Here are five things you can do to successfully prepare and run authenticated vulnerability scanning and, in the end, achieve the most protection.Continue Reading

• CISSP Domain 5 quiz: Types of access control systems

  Get ready for the CISSP exam with this 10-question practice quiz covering key concepts in Domain 5, including access control, identity, authentication and more.Continue Reading

• vulnerability disclosure

  Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that stipulates guidelines for doing so.Continue Reading

• How does a private bug bounty program compare to a public program?

  Explore the differences of public versus private bug bounty programs, as well as the benefits of each one. Expert Mathew Pascucci explains the risk and return of both programs.Continue Reading

• black hat

  Black hat refers to a hacker who breaks into a computer system or network with malicious intent. A black hat hacker may exploit security vulnerabilities for monetary gain; to steal or destroy private data; or to alter, disrupt or shut down websites ...Continue Reading

• What advanced security analysis tools are and how they work

  The security analysis tools that provide advanced analytics are essential to counter the latest threats to enterprise systems and data. These products gather and analyze data from many different sources within an organization, and they provide ...Continue Reading

• When to take a bug bounty program public -- and how to do it

  Bug-finding programs are valuable to enterprises, but they require a lot of planning and effort to be effective. Sean Martin looks at what goes into taking a bug bounty program public.Continue Reading

• Automated Security Analysis of Android and iOS Applications

  In this excerpt of Automated Security Analysis of Android and iOS Applications with Mobile Security Framework, authors Ajin Abraham and Henry Dalziel discuss mobile application penetration testing.Continue Reading

• Best practices for an information security assessment

  Information security assessments can be effective for identifying and fixing issues in your enterprise's policies. Expert Kevin Beaver explains the key components of the process.Continue Reading

• Gula talks Nessus agents and Nessus cloud

  Video: SearchSecurity spoke with Tenable co-founder Ron Gula about recent additions to the Nessus feature set, including a version that lives in the cloud.Continue Reading

• Six areas of importance in the PCI Penetration Testing Guidance

  Complying with PCI penetration testing mandates has always been a challenge for enterprises. Expert Kevin Beaver discusses the recently released PCI SSC pen testing guidance and how it can help enterprises overcome their PCI woes.Continue Reading

• How to perform IPv6 network reconnaissance

  While network reconnaissance is a critical step in identifying potential vulnerabilities, performing an IPv6 network audit without the right tools can be a challenge. Learn about the tools available and how to properly use them.Continue Reading

• PHP security tips to ensure enterprise Web safety

  Research shows more than three-quarters of PHP installations run with at least one vulnerability. Learn the steps for ensuring PHP security in the enterprise workplace.Continue Reading

• How to evaluate IPv6 network security with SI6 Networks IPv6 Toolkit

  Some security pros underestimate the importance of IPv6 network security assessment tools. Expert Fernando Gont offers an illustrated guide on how to use SI6 Networks' free IPv6 toolkit.Continue Reading

• An intro to automated penetration testing

  In this exploratory article, expert Mike Chapple explains what automated penetration testing is, why it is useful and how to start building an enterprise penetration tester toolkit.Continue Reading

• How to take a measured approach to automated penetration testing

  Automated penetration testing can play a pivotal role in improving the pen testing process while reducing the resources required, yet without the proper approach it may be a complete waste of time. Expert Kevin Beaver explains.Continue Reading

• Using the 2014 Verizon DBIR to review information security controls

  The Verizon DBIR has a wealth of information on enterprise threats, but how can the average organization put it to good use? Nick Lewis explains.Continue Reading

• Stop attackers hacking with Metasploit

  Metasploit attacks may not be sexy, but they can stab through enterprise defenses. Learn how basic security controls can thwart Metasploit hacking.Continue Reading

• How PCI 3.0 changes the PCI DSS penetration testing requirement

  The PCI DSS penetration testing requirement becomes more rigorous with the release of PCI 3.0. Expert Mike Chapple details the change.Continue Reading

• computer forensics (cyber forensics)

  Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.Continue Reading

• application blacklisting

  Application blacklisting, sometimes just referred to as blacklisting, is a network administration practice used to prevent the execution of undesirable programs.  Such programs include not only those known to contain security threats or ...Continue Reading

• fuzz testing (fuzzing)

  Fuzz testing (fuzzing) is a technique used by ethical hackers to discover security loopholes in software, operating systems or networks by massive inputting of random data to the system in an attempt to make it crash.Continue Reading

• The Art of Software Security Testing

  Read an excerpt from the book, The Art of Software Security Testing: Identifying Software Security Flaws. In Chapter 11, "Local Fault Injection," the authors explain the proper methods for examining file formats.Continue Reading

• war dialer

  A war dialer is a computer program used to identify the phone numbers that can successfully make a connection with a computer modem.Continue Reading

• gray hat (or grey hat)

  Gray hat describes a cracker (or, if you prefer, hacker) who exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the owners.Continue Reading

• Cyber Storm

  Cyber Storm is the name of a simulated attack exercise conducted by the U.S. Department of Homeland Security (DHS) February 6-10, 2006 to evaluate whether or not the country could withstand a real attack of similar magnitude...Continue Reading

• honeynet

  A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security.Continue Reading

• ethical worm

  An ethical worm is a program that automates network-based distribution of security patches for known vulnerabilities.Continue Reading

• Opinion: Emerging ethical hacker certification may be off-course

  Scott Sidel thinks the ethical hacker certification isn't all it's cracked up to be; breaking systems and fixing them is the best approach to learn the ways of the infosec pro.Continue Reading

• Frank Abagnale preaches the dangers of hacking

  A penitent Frank Abagnale Jr. shuns white-collar crime and fraud, and helps others understand how to guard against the dangers of hacking.Continue Reading

• Four steps to sound security vulnerability management

  If you're bedeviled by swarms of alerts, you can take control by practicing good security vulnerability management with these four steps.Continue Reading