Penetration Testing
debt(d9/e7/b5/t7)
Closest to 'silent in production until users hit it' (d9). The detection_hints note automated=no and the code_pattern is 'No documented pen test results or security assessment in project history' — the absence of pentesting is invisible at runtime. Tools like OWASP ZAP and Burp Suite are not passive monitors; they must be actively invoked. A missing or stale pentest produces no warnings, no compiler errors, and no runtime signals — it is silent until a real attacker finds what the testers didn't.
Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix describes running ZAP/Burp Suite against staging before major releases, but the common_mistakes reveal the real cost: fixing findings without addressing root causes (e.g., fixing one SQLi without fixing the underlying parameterisation practice), no retest after remediation, and scope gaps. Properly remediating pentest findings touches authentication, input handling, business logic, and deployment pipelines across multiple files and components — this is cross-cutting work, not a single-line patch.
Closest to 'persistent productivity tax' (b5). Penetration testing applies to web and API contexts broadly. The ongoing burden is significant: every major release ideally needs a new assessment, findings must be tracked and retested, and security posture must be maintained continuously. This creates a persistent productivity tax on development and release workflows, but it doesn't entirely define the system's shape or create architectural lock-in.
Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The misconception field is explicit and severe: developers commonly equate a passed pentest with a certificate of security, when in reality it is only a point-in-time assessment by specific testers within a limited scope. This directly contradicts how other quality assurance activities (e.g., passing a test suite) are reasonably interpreted. The 'obvious' conclusion — 'we were pentested, we are secure' — is dangerously wrong and is not merely an edge case.
Also Known As
TL;DR
Explanation
Penetration testing (pen testing) involves authorised security professionals attempting to exploit a system using the same techniques as real attackers. Methodologies range from black-box (no prior knowledge) to white-box (full source access) to grey-box. A PHP web application pen test typically covers: injection flaws, authentication, session management, access control, security misconfiguration, and client-side vulnerabilities. Results are documented in a report with CVSS-scored findings and remediation guidance. Pen testing complements static analysis but cannot replace it — automated tools find different classes of bugs.
Common Misconception
Why It Matters
Common Mistakes
- Running a pentest once and treating the report as permanent — new features introduce new vulnerabilities.
- Pentest scope that excludes critical components — attackers don't respect scope boundaries.
- Fixing findings without addressing the root cause — patching one SQLi without fixing the underlying parameterisation practice.
- No retest after remediation — confirmed fixes are not verified before the report is closed.
Code Examples
// Pentest finding ignored:
// Pentest Report 2024: SQL injection on /api/search (Critical)
// Status: 'Won't fix — low risk because WAF protects it'
// 2025: WAF bypassed, data breach via same endpoint
// Root cause: findings need actual fixes, not compensating controls as substitutes# Penetration testing phases for a PHP web app
# 1. Reconnaissance
$ whatweb yourapp.com # detect tech stack
$ subfinder -d yourapp.com # discover subdomains
$ nuclei -u yourapp.com # automated vulnerability templates
# 2. Scanning
$ nmap -sV yourapp.com # open ports and services
$ nikto -h yourapp.com # web server misconfigs
# 3. Exploitation
$ sqlmap -u 'https://yourapp.com/users?id=1' --dbs
$ burpsuite — manual testing of auth, authorisation, business logic
# 4. Post-exploitation
# Demonstrate impact: what data is accessible? Lateral movement?
# 5. Reporting
# Finding: title, CVSS score, evidence (screenshot/curl), remediation
# Annual pentest by external firm + quarterly automated scans minimum