The invention discloses a method for system penetration testing, comprising the following steps: S1, test target information of a system is acquired by use of a variety of public resources; S2, network information of a system test target is extracted; S3, online network host information of the system is detected; S4, all open ports of the system are scanned, and all services are enumerated through all the ports to position and analyze a loophole in the target system; and S5, the target system is penetrated by a loophole device. The invention further discloses a device for system penetration testing. By adopting the method and the device, provided by the invention, for system penetration testing, through static analysis of a source code, on one hand, potential risks can be identified, software can be detected from inside, and the safety of the code can be improved, and on the other hand, the quality of the code can be further improved, and the software security can be greatly improved.