Unauthenticated vs. Authenticated Testing

Google testing requirements mandate third-party penetration testing that includes authenticated tests. This ensures that all areas of the application are tested equally to discover issues that may otherwise not be easily identified without full access to the application.

Unauthenticated Testing Authenticated Testing
Definition Testers have no knowledge of the environment under test. No credentials are provided to the testers. Testers have full access to information about the platform being tested. This often includes accounts (including administrative users), and access to discuss functionality with developers during the testing process.
Level of detail Low Medium/High
Benefits Simulates casual attackers and automated attacks on the first line of defense within an application. Does not require a high level of expertise to perform, no knowledge of the business logic is required. Detail-orientated testing, including business-logic-related issues. More likely to find issues that would otherwise not be discovered during code audit, unauthenticated testing, or automated scanning alone.

Can be useful in testing monitoring and alerting capabilities when used in coordination with an internal IR/Monitoring team exercise.

Limitations Often misses issues that require knowledge of the application or infrastructure, or require a minimum level of access as a user. Can take additional resources from the development team, as well as testers. Often requires more experienced testers due to the increased complexity and type of issues.
VSA/IPA Requirements Not accepted. Annually

Limiting the scope of a penetration test to unauthenticated users may result in only a small subset of issues being discovered, compared to a more comprehensive test where testers have credentials to access the application itself. A limited test can find issues that a casual external attacker would discover, but this kind of test often overlooks more detailed attacks and functionality that can be abused by existing users of the system.

Specifically, an authenticated user might be able to access information that should not be user-accessible, or have the ability to perform actions that should be restricted to administrative users. With the increase of multi-tenant systems, attacks from legitimate users of the system, either directly, or due to hijacked accounts (via weak passwords, phishing, malware, etc…), are seen as a threat that is often overlooked when planning the scope and methodology of a penetration test.