The purpose of a pen test (or penetration test) is to find out how vulnerable an application (online or mobile), a system, or a (cloud) infrastructure is to attacks from within and from outside. A vulnerable (web) application or insufficiently secure system can have far-reaching financial consequences or lead to reputational damage.
A pen test is often performed by security specialists who put themselves in the shoes of malicious hackers and try to penetrate secure environments. A pen test answers the question: Is my application, system or infrastructure resistant to attacks?
The difference between a pen test and a real attack by a malicious hacker is that the pen test is always carried out on behalf of and after consultation and is intended to reveal vulnerabilities and the underlying causes. The pen test takes place after the scope of the investigation has been established. Afterwards, clients receive an extensive report on what vulnerabilities our pen testers have found. The results are presented to the client in a 'Findings meeting', during which concrete proposals for improvements are made, so that targeted action can be taken to bring the security up to standard.
Pentest type: Black, White and GrayThere are different forms of pen testing. Perhaps the most famous is the Black Box test. In this form, the pen tester does not receive any information in advance about the application, the system or the IT environment to be tested. The level of knowledge of our pentest team here is comparable to that of a malicious hacker. This pen test is usually the least thorough, partly because a lot of time is spent investigating the unfamiliar environment.
In a White Box test, the tester receives all possible information about the system to be tested in advance. This is the most thorough pen test and the most efficient way to perform the test. That is why this method is preferred by Securify. Since our pen testers have access to the source code, they can get to the root causes of vulnerabilities and make targeted recommendations to take security to a higher level.
The intermediate form is the Gray Box test, in which the ethical hacker receives limited information in advance. The simulation level of the pentester here is comparable to that of a resentful (former) employee or a customer. This form can be used to assess the security of an application or environment from within.
The Pen Test ProcessThe first step in conducting a pen test is the intake interview. In this, the scope of the test is determined and agreements are laid down about the best approach, methodology and the time frame in which the pen test takes place. Based on the intake interview, we make a quotation for the client.
The preparation for the test consists of a detailed elaboration of the intake interview, including an inventory of the systems or environment to be examined. All relevant information is collected about the system with regard to users, IT architecture, network structure, accounts, source code, existing security and the like. In an internal kick-off meeting, the team comes together to discuss a strategy and devise attack scenarios.
The pen test follows at the agreed time in accordance with the previously established scope. Everything we do and encounter during their attack is accurately logged and documented. The organization under investigation is informed of the start and end of the test via so-called 'start/stop emails'. There is also the option of 'every-day updates' with which the client is kept informed of the findings of the pentest team during the test. If the team encounters a high-risk vulnerability during the pen test, the client is immediately informed of this. All findings, recommendations and conclusions are presented in an extensive report that is presented to the client in a findings meeting.