What is a penetration test and why should I get one?
A penetration test (aka pen-test), is an authorised simulated cyber-attack on a computer system, performed to evaluate the security of the system. As part of the penetration testing process the strengths and weaknesses of the system will be highlighted where the weaknesses (known in the industry as vulnerabilities) will be exploited to help understand the full technical risk.
Note that a pen-test is different from a vulnerability test where the latter is conducted to identify vulnerabilities (weaknesses) in the system but attempts to exploit these vulnerabilities will not be made.
Tell me more
Pen-testing typically follows a strict methodology using a white-box or black-box approach. A white-box pen-test simply means that information about the target has been shared with the pen-testers prior to starting, this can be useful to help focus the testing and in some cases speed up the process.
Black-box pen-testing simply means no information about the target has been shared with the pen-testers. As such, with this approach pen-testers use best efforts to identify all weaknesses, however, full coverage may not be made in the time available and stuff could get missed.
Why Bother?
Good question. There are many reasons for doing a pen-test, it could be a validation exercise of your ability to design, develop and secure a new system or application or it could be as part of a regulatory or a mandatory requirement such as PCI-DSS. It could also be to understand how your business will stand up to an attack in readiness for when it actually happens.
It’s a highly recommended exercise and should be performed regularly particularly when changes have been made to infrastructure and/or applications that may have introduced a vulnerability and exposed a weakness that will be exploited at some point in time.
How we do pen-testing @ OnSecurity
We’re different. Firstly, let’s get the standard stuff out of the way. We’ll follow industry standard methodologies and best practice just like any other provider. We understand the risks associated with testing and take care to avoid disruption or impact on the business during testing.
We’ll also ask for a technical point of contact whilst testing and you can rest assured our findings will use the Common Vulnerability Scoring System (CVSS) which provides a numerical score identifying the severity of the vulnerability.
How we differ. We use technology to help clients scope a pen-test, our engagement portal removes much of the hassle of commissioning a test. Our intuitive scoping process will capture and refine your requirements in readiness for test scheduling. The pen-test booking process is simplified, you choose the dates, we’ll provide the testers and we can usually begin testing within a 48 hour lead time.
You’ll notice that our estimates are in hours, that’s how we charge. We don’t add a magical ‘plus one day’ for reporting, if we don’t need all of the hours for the pen-test, we won’t use them. We’ll give them back to be used on your next engagement.
We publish findings in your portal in real time with alerts/notifications to allow for immediate triage and remediation, if required. This also gives an ongoing risk profile of the system under test during the engagement.
Using our messaging integration via Slack, you can engage with our testers as they test. Perhaps you need a status update, or have a question about the fix you’re about to deploy - no problem, just ask. It’s like we’re an extension of your in-house team.
Of course, just like your incumbent provider, the final test report detailing all issues can be downloaded from the engagement portal at any time.
Oh.. did I mention that we don’t charge cancellation or rescheduling charges? Projects don’t always run to plan, we get that - need to reschedule a pen-test? No worries.
Is there anything else?
Yes. Pen-tests are only a snapshot of your infrastructure and/or applications risk status at the time of testing, should any changes be made, such as bug fixes or patching we recommend a re-test of issues to ensure they are fixed and closed. Further pen-tests are recommended at regular intervals or at least annually – depending on your requirements.
About me
I’m co-founder of OnSecurity and passionate about cyber security, tennis and Rubik's cubes. My guilty pleasure is attending magic conventions and eating pork scratchings. If only there was a magic wand to make client security woes disappear, it could replace the vendor silver bullet.
When not playing ITF seniors tennis, I’ll be hanging by the sea, I’ve discovered longboarding.
You can contact me at dave.hewson@onsecurity.co.uk or connect on Linkedin Happy to chat, happy to help.