A myth is defined as a phenomenon or a widely held idea or belief that is usually incorrect. When you think about security analysis and doing pen tests, you might have some beliefs that may be wrong. For example, years ago everyone thought that if you were called a hacker you were a bad guy. Now, that’s not the case. With white hats, grey hats, and the like, many people these days hear the term hacker and know it isn’t always a bad thing.

That said, there are people who believe things like, “Pen testing will secure my organization or provide an adequate amount of security.” This is false. Pen testing will help to develop your security posture and increase your security level, but it is not the one thing you can rely on to secure your organization completely.

This chapter contains most of the common questions and concerns folks have about what is true and not true about pen testing. Keep these myths in mind, but don’t consider them definitive. There’s always more to learn.

All Forms of Ethical Hacking Are the Same

Many forms of security analysis take place. As a security professional, knowing which one to conduct at appropriate times is important to understand. Vulnerability assessments, for example, are used to check the status of systems to find and expose weaknesses. Pen testing is the act of actively trying to penetrate security defenses. This includes (and is not limited to) using any tool at your disposal to thwart the security ...