We recommend a penetration test for systems with critical and sensitive data. These must be specially protected; automated security tests that identify known security gaps are not sufficient here.
With our combination of predominantly manual and customized automated tests, we also identify unknown configurations and programming errors.
Penetration test procedure
Each penetration test is individual. For different scenarios there are procedures that can be recommended by us. We can provide you with experts in all areas, from white to grey to black box tests, server infrastructure and applications.
We go through the following points with you:
- What is the test object?
- Who is informed
- Which test is planned, e.g. Black Box or White Box Test
- Tuning the time of the tests
- Depth of testing; vulnerabilities are only identified or exploited in a proof of concept
- Who gets which test results
Basis of the Penetration Tests:
The tests are based on recognized security standards. In addition, we can carry out these tests on the basis of your specific requirements arising from your business.
The best known standards are in this area:
- PCI DSS (Payment Card Industry Data Security Standard)
- BSI Guide to IT Security Penetration Testing
- HIPAA (Health Insurance Portability and Accountability Act)
- BaFin (Federal Financial Supervisory Authority) IT security regulations
- OWASP (Open Web Application Security Project) Testing Guide
- PTES (Penetration Testing Execution Standard)
- OSSTMM (Open Source Security Testing Methodology Manual)
Here we check your web application for possible vulnerabilities, such as those described in the OWASP Top Ten (in their current form).
- Unauthorized access to unauthorized areas
- Take-over of the web server as a springboard for further attacks
- Takeover of your web application with the aim of specifically publishing false information
- Unauthorized tapping of data
- Manipulation of data
- Checking their network interfaces from the inside and outside
- Checking your server operating systems for possible weak points and points of attack
- Testing these entry points and installing possible backdoors
- Attacks on your firewall
- Finding and identifying potential entry points into your network over the Internet
- Penetrate locked areas in your internal network
With WLAN networks, it is often ignored that these do not end at the office boundaries, but are often visible into the public area and thus represent a potential risk.
- Finding all accessible WLANs
- Search for unwanted WLANs via Smartphone or Tablet
- Attempts to break into the protected WLANs
- Attempt to break into your internal network via unsecured guest networks
With our report you will receive a management summary including an evaluation of the security level. We usually deliver our reports in a format that is unalterable and protected against unauthorized access.
In addition, you will receive a description and mitigation recommendations for each identified vulnerability. If we have agreed on a specific report in advance, we will of course take this into account.
We also deliver our reports only to the agreed group of people.
We see our reports as input. We try to find solutions together with you in order to convert the experiences from the penetration test into automated tests. These can then already be used during the development or design phase of a product.
We will also be happy to hold a workshop with your employees after a penetration test, in which we will explain the security gaps and present possible countermeasures.
As an additional service, we can set up a security monitoring system for you so that your critical systems can be monitored regularly and automatically in the future.
After our experts have created the monitoring, we pass on the required knowledge to your employees in a workshop so that they can evaluate and classify the results and, if necessary, adapt the tests to future requirements.
Contact us today and request more information.