Penetration testing is definitely one of the high profile "glory" activities in information security today - the tests can seemingly create intrusions out of thin air that wriggle their way through our carefully designed defenses to remind us that we're really nowhere near as secure as we thought. However, the practice has always been a guild-governed art with limited information on operations beyond the shelves of books on exploiting software and other technical accoutrements. Allen has taken the dialog much further with an excellent overview of the penetration testing process from the planning steps of the engagement through the test itself and reporting results.

The book opens with a very insightful chapter on the planning process for a penetration test that includes good advice on working with the client to determine scope, test objectives and limitations. The need for meticulous documentation is addressed early with introductions to MagicTree and the Dradis framework (quite useful when a team is carrying out the test). Back|Track is the toolbox used throughout the book and Allen wastes no time in getting the reader started by installing it in a virtual machine for use in the numerous exercises that occur in later chapters.

The following two chapters follow the natural progression of reconnaissance and target selection. With targets and their vulnerabilities identified, the next three chapters delve into the details of exploiting those vulnerabilities. Allen makes the solid point that identifying a vulnerability is one thing but actually using it to, for example, open a root-level shell provides solid verification to the client that a serious weakness exists.

Chapter 7, "Post Exploitation", is unique in that it recognizes that our adversaries' objective is not limited to just identifying and exploiting vulnerabilities but rather to accomplish some objective (capture credentials, access confidential information, etc.). He wisely observes that the penetration tester, unlike an actual adversary, is limited by the scope of her contract (e.g., is data modification allowed or can a persistent backdoor be created) and he must have negotiated these limits in advance during the planning process.

Chapter 8, "Bypassing Firewalls and Avoiding Detection", covers how to negotiate the defensive lines of the target while remaining below the detection threshold. This is an important chapter because many organizations do have good defenses in place and a successful penetration may involve negotiating multiple defensive layers to reach the actual target.

Chapter 9 covers the critical task of documenting the test and reporting the findings to the client. Too often the results of a well-performed penetration test are ignored by the client due to poorly communicated results that fail to convincingly convey the results of the test in such a way as to motivate the client to take action.

The final two chapters cover setting up a virtual lab environment for training and a walkthrough of an actual penetration test. This is an applied book for the technical security professional and will require significant time to set up and work through the many examples. Allen does not sugar-coat the process and the reader will have opportunities to experience and work through/around the quirks of the tools that sometimes seem to the larger part of performing the technical portions of the test.

The exercises do seem to be a bit disjoint at times and would have benefited from a clearer progression from one to the other. But looping back and starting over is something the professional penetration tester has to do quite often, so Allen may have written the book this way quite deliberately.

Working through the exercises also provides a solid introduction to the cornucopia of tools available in Back|Track and how they fit together to accomplish the goals of the penetration test.

Definitely a recommended read for the technical information security professional who might also want to share some of the sage advice on how to scope and plan for a penetration test with more managerially focused professionals.

It has been said "of making many books there is no end; and much study is a weariness of the flesh" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and shares his opinion as to which might profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org