In a Penetration Test or Pentest, we perform a comprehensive security test of all the relevant components of your network, devices and services.
The structures that we test vary greatly, and so do our approaches by which we perform the test; but for a comprehensive security test, the following procedure has proved to be the most useful:
- Definition of the test objectives
- Definition of the objects to be tested
- Information gathering
- Automatied testing for vulnerabilities
- Manual verification of results
- Manual testing of targets
- Documentation of the results
- Discussing the results
As the server infrastructure as well as applications are updated and altered every so often in most cases, periodic testing is advisable (e.g. annually, after major updates, after changing the infrastructure etc.)
The range of topics tested thoroughly during a standard test is as follows:
- DNS servers (Nameserver)
- Mail servers
- Web, database and application servers
- Search for other services of the customer
- Testing of external service providers (Newsletter ASP, Payment Gateways etc)
- Customer’s website(s)
The tests performed on webistes or web applications are as follows:
- Susceptibility to SQL Injection
- Susceptibility to XSS / Cross Site Scripting
- Other items from the OWASP checklists
- Search for files and folders with contents not intended for the public
- Search for errors in the application, which allow output of non-public data or execution of software on the server
- Search for misconfiguration (Directory Listing, SSL configuration)
- Security of the customer data (Logins, Sessions, encryption etc.)
The test report for a small test comprises 35-45 pages and can go to hundreds of pages for larger networks, they offer background information and suggested solution approaches for all tests and results, in addition to classification from “Good” to “High risk” for each test performed.
The tests can be performed as Blackbox, Graybox or as Whitebox Tests; according to whether we have no information, some information or detailed information from you about your network and your infrastructure.
We can of course also perform partial tests, concentrating on the areas that are of most interest to you.
Just call us on 044 586 64 68 for more information