A penetration test is a simulated cyber attack. We conduct application (web, native, mobile), infrastructure and physical penetration tests.
We regularly perform penetration tests on networks, web and mobile applications with extremely high security demands such as SCADA-systems, financial institutes and VPN services. Our consultants combine manual and automated testing with code reviews in order to achieve excellent coverage of your web application or infrastructure. We generally perform our testing in a white-box fashion in order to ensure a cost-effective relationship with our clients.
The outcome of a penetration test is, in addition to an extensive report, a better understanding of your security posture and expert recommendations on how to improve it.
A penetration test is an authorized, simulated cyber attack on a computer system, network or application. Most often the penetration testers are well informed of the system under test, has access to source code and are in contact with the systems' owners to provide correct and detailed results in a short time. A penetration test could have an element of physical presence at the recipient's premises and could be performed with different levels of awareness at the recipients, depending on the scope of the test.
The primary goal is to evaluate the security of the target. To find weaknesses (vulnerabilities) in the target configuration and/or implementation which could lead to unauthorized access to features or data on the target.
The technical details can vary depending on the target but the common steps are: scoping of the target and planning; information gathering and reconnaissance; discovery and scanning; vulnerability assessment; exploitation (post-exploitation); final analysis and review; reporting and presentation. The scope can focus on very specific functionality to identify hard-to-find issues or be broad to cover common issues in a large attack surface.
Initial planning and scoping usually takes 2-3 weeks, depending on resource availability. This is where the scope, rules of engagement and other contract related tasks are performed. The active testing, depending on target's scope, could take 1-4 weeks. After the active testing is concluded, generally the team spends one week finalizing the analysis, documentation and reviews. Smaller verification tests and manual interactions with the test target might be relevant during this period also. Sometimes, fixes for findings completed during the test may be verified during the project period, but most often a verification test is carried out later on. After the report is handed over to the customer, a debriefing presentation is held to showcase and discuss the findings with the customer and interested parties.
It can be performed in several stages of the development and deployment/release cycle, for example when a new feature is implemented or a new system is about to be deployed. It all depends on the target and its life-cycle and/or requirements. It would be beneficial to conduct a penetration test on new features with enough time before they go into production, to resolve issues found and verify the fixes, but that is not always possible.
You will get a written report as well as a presentation detailing the found issues in your system(s), their risk rating and recommended actions for mitigation. This information can be used to strengthen and improve the security posture of your assets. It's not uncommon that recommendations for further assessment is provided once familiarity with the target's architecture is acquired.
Get in touch to inquire about a penetration test with our experienced team.