A developing organization need information technology in its operational activity. However what is often considered is how to ensure that data saved in server is safe from unauthorized parties. Therefore, this thesis reviews how a person who is appointed as a security analyst do penetration testing in a system with variety tools given and how the report can be understood from by people from managers to programmers. Besides giving the how-to knowledge, this thesis also reviews how secure is the organization under review in keeping their data safe from other parties who are not supposed to get access to important operational activity data.