Penetration testing is all about a skilled specialist using a full arsenal of methods and technics trying to compromise clients security systems. The manual and automated tests combined with the ethical hacker’s knowledge and creativity are considered a detailed representation of how a real attack would be conducted.
Pentesting considers several areas:
- Network, where it focuses on network and system level flaws
- Web and mobile applications where we leverage the OWASP framework to maximize attack potential
- IoT where we focus on critical areas that go beyond basic flashpoints, such as protocols, encryptions, UI, APIs
Well performed pentesting allows analyzing vectors, assessing casualties and overall testing your security infrastructure in real conditions. Ultimately the goal is to prepare a strategic roadmap with solutions aiming to patch the vulnerabilities we found and develop defences in a short- and long-term.
While performing pentesting services we adopt state of the art tools, according to best practices in security testing industry:
- Dynamic Application Security Testing (DAST) - to detect vulnerabilities for applications in their running state
- Nessus - to quickly identify software flaws, malware and misconfigurations to comprehend potential vectors of the attack and use it against the system
- OWASP ZAP (Zed Attack Proxy Project) - for scanning a web application to find gateways, that lead to more efficient testing
- Static Application Security Testing (SAST) - for finding flaws in source code
- Checkmarx - to manage Software Exposure. Useful in CI/CD pipelines
- SonarQube - used for Continuous Inspection to provide improvement in code security
For best mobile and WWW services coverage, we work along the OWASP Testing Guide. For more complex tests that include infrastructure and multi-compound projects, we use the PTES guide.