Closing every last gap

Penetration tests

You have an important application or a central IT service and want to know if they are secure? You don't trust the security of your Windows clients, a Linux server or any other system? A penetration test would be just the thing!

Let's talk

 

500+ customers place their trust in us – from startups to large companies

 

Application area

Acceptance test prior to the go-live of a critical application (self-developed or purchased) or prior to the rollout of an IT system (e.g. client or server template).

 

Objectives

Are there relevant vulnerabilities in the application or in the configuration of the systems under test? Is the security level state-of-the-art?

 

Result

A meaningful assessment of the security level of the app or system with a detailed report on relevant vulnerabilities, including recommendations for action.

Penetration tests

What is the security level of a particular IT asset or IT group.

A penetration test always aims to identify all security-relevant vulnerabilities and improvement potentials of a specific asset in order to assess the security level.

We often identify generic flaws already in automated tests by using state-of-the-art tools. In addition, critical functions are always examined manually by experienced penetration testers. In this way, we also find logical errors and avoid false positives.

As a result, you receive a detailed test report that describes all identified vulnerabilities, assesses their risk, provides meaningful recommendations and summarizes them in a management summary.

Pentest characteristics

Pentest of web applications

Pentest of web applications

Approach


In a web application pentest, we analyze a reference implementation of the software under test in several stages. We start like a normal user to learn about functions, workflows and the actual purpose.

Based on this, we derive generic and specific "abuse cases" that could undermine the confidentiality and integrity of the information, the availability of the application, the authenticity of the acting person or even the whole business process.

We typically perform penetration testing of web applications using the greybox approach, looking not only at the web GUI itself, but also at associated APIs and web services, as well as the underlying infrastructure.

A penetration test includes the following steps:

Preparation

  • Coordination of the scope and the depth of testing
  • Kick-off meeting

Execution

  • Automatic scans for vulnerabilities
  • Manual analysis and hacking

Evaluation

  • Creation of a detailed report

 

Methods and standards used


Methodologically, we follow proven guidelines when conducting penetration tests:

In terms of content, we are mainly guided by the established standards of the OWASP project:

If necessary or useful we extend this by: 

Pentest von FAT Client Anwendungen

Pentest of fat client appications

Approach


In an application pentest, we analyze a reference implementation of the software under test in several stages. We start like a normal user to learn about functions, workflows and the actual purpose.

Based on this, we derive generic and specific "abuse cases" that could undermine the confidentiality and integrity of the information, the availability of the application, the authenticity of the acting person or even the whole business process.

We usually perform penetration tests of fat client applications using the greybox approach, looking not only at the GUI of the application but also at the backend and the communication channels.

A penetration test includes the following steps:

Preparation

  • Coordination of the scope and the depth of testing
  • Kick-off meeting

Execution

  • Automatic scans for vulnerabilities
  • Manual analysis and hacking

Evaluation

  • Creation of a detailed report

 

Methods and standards used


Methodologically, we follow proven guidelines when conducting penetration tests:

In terms of content, we are mainly guided by the established standards of the OWASP project:

If necessary or useful we extend this by: 

Pentests of clients and servers

Pentests of clients and servers

Approach


Typical test objects are physical or virtual Windows or macOS clients, Citrix servers, as well as reference images of Windows, Linux or AIX servers that are used, for example, as templates for cloud VMs or in a container registry.

In a client or server pentest, we analyze a reference implementation with respect to many aspects: Are accesses limited to a minimum? Is the system adequately hardened? Are all components up to date, including drivers, operating system, middleware and third-party applications? Is strong authentication used and are administrative accesses restricted? Is locally stored information access-protected, appropriately encrypted, and does not contain highly sensitive information such as credentials? Are hard drives encrypted and adequately protected in case of theft or loss?

We typically perform penetration testing of clients and servers using the whitebox approach. A penetration test includes the following steps:

Preparation

  • Coordination of the scope and the depth of testing
  • Kick-off meeting

Execution

  • Automatic scans for vulnerabilities
  • Manual analysis and hacking

Evaluation

  • Creation of a detailed report
Methods and standards used


Methodologically, we follow proven guidelines when conducting penetration tests:

In terms of content, we are mainly guided by the established standards of the OWASP project:

If necessary or useful we extend this by: 

 

Ready to have an application, client or server image tested?

Let us agree on the scope, clarify the commercial aspects and convince you of our skills.

Ok, convince me!

Individualization of assessments

Penetration tests are the "classic" among assessments and a very good choice in many cases.

However, they reach their limits when, for example, several components are in scope at the same time, active testing is not permitted for legal reasons or due to failure risks, or a view "without operational blindness" is desired.

That is why we have further developed our assessment approaches. They differ in their objectives and in the use of different methods and techniques. We can flexibly combine these methods and offer you an individual assessment.

The only thing we need is a concrete objective or question, what you want to achieve with the results. Then we will find a good balance between the scope covered, the depth of testing and the degree of realism, thus keeping the effort and costs for the assessment within reasonable limits.

We will be happy to advise you on individual assessments, just get in touch! In the meantime, get inspired by our other assessments.

More HvS security assessments

Security stress test Preview

Test your IT security with a security stress test! Find out how quickly attackers can infiltrate your network and what damage an attack could cause.

Read more
Red teaming assessment preview

How well can you detect and defend against real cyber threats? Our Red Teaming Assessment simulates attacks to uncover vulnerabilities and improve detection.

Read more
Red vs blue and purple teaming preview

The training camp for incident response teams. How quickly does your Blue Team recognize attacks? Is the severity correctly assessed and how long does it take to successfully defend against them? Send your team to training camp!

Read more
Social enigneering assessments preview

Professional industrial espionage often involves physical attacks or insider attacks (social engineering), even if the target is in cyberspace. Our social engineering assessments protect your company from social engineering attacks.

Read more
Cloud Security Assessments

The cloud - whether IaaS, PaaS or SaaS - can be secure if it is planned and configured correctly. We help you to ensure this! Arrange a cloud assessment appointment with us today.

Read more
Vulnerability scans preview

Which systems are accessible and potentially vulnerable? Our vulnerability scan identifies security gaps, shadow IT and forgotten services - before attackers do.

Read more