Penetration tests
You have an important application or a central IT service and want to know if they are secure? You don't trust the security of your Windows clients, a Linux server or any other system? A penetration test would be just the thing!
Penetration tests
What is the security level of a particular IT asset or IT group.
A penetration test always aims to identify all security-relevant vulnerabilities and improvement potentials of a specific asset in order to assess the security level.
We often identify generic flaws already in automated tests by using state-of-the-art tools. In addition, critical functions are always examined manually by experienced penetration testers. In this way, we also find logical errors and avoid false positives.
As a result, you receive a detailed test report that describes all identified vulnerabilities, assesses their risk, provides meaningful recommendations and summarizes them in a management summary.
Pentest characteristics
In a web application pentest, we analyze a reference implementation of the software under test in several stages. We start like a normal user to learn about functions, workflows and the actual purpose.
Based on this, we derive generic and specific "abuse cases" that could undermine the confidentiality and integrity of the information, the availability of the application, the authenticity of the acting person or even the whole business process.
We typically perform penetration testing of web applications using the greybox approach, looking not only at the web GUI itself, but also at associated APIs and web services, as well as the underlying infrastructure.
A penetration test includes the following steps:
Preparation
- Coordination of the scope and the depth of testing
- Kick-off meeting
Execution
- Automatic scans for vulnerabilities
- Manual analysis and hacking
Evaluation
- Creation of a detailed report
Methodologically, we follow proven guidelines when conducting penetration tests:
In terms of content, we are mainly guided by the established standards of the OWASP project:
- Application Security Verification Standard (ASVS)
- Web Security Testing Guide
- Mobile Security Testing Guide
- OWASP Top Ten Projects, e.g. for Web Applications
If necessary or useful we extend this by:Â
- CIS Benchmarks (Review of configurations)
- IT-Grundschutz (Review of configurations)
- ISO/IEC 27001:2013 (for technical audits)
In an application pentest, we analyze a reference implementation of the software under test in several stages. We start like a normal user to learn about functions, workflows and the actual purpose.
Based on this, we derive generic and specific "abuse cases" that could undermine the confidentiality and integrity of the information, the availability of the application, the authenticity of the acting person or even the whole business process.
We usually perform penetration tests of fat client applications using the greybox approach, looking not only at the GUI of the application but also at the backend and the communication channels.
A penetration test includes the following steps:
Preparation
- Coordination of the scope and the depth of testing
- Kick-off meeting
Execution
- Automatic scans for vulnerabilities
- Manual analysis and hacking
Evaluation
- Creation of a detailed report
Methodologically, we follow proven guidelines when conducting penetration tests:
In terms of content, we are mainly guided by the established standards of the OWASP project:
- Application Security Verification Standard (ASVS)
- Web Security Testing Guide
- Mobile Security Testing Guide
- OWASP Top Ten Projects, e.g. for Web Applications
If necessary or useful we extend this by:Â
- CIS Benchmarks (Review of configurations)
- IT-Grundschutz (Review of configurations)
- ISO/IEC 27001:2013 (for technical audits)
Typical test objects are physical or virtual Windows or macOS clients, Citrix servers, as well as reference images of Windows, Linux or AIX servers that are used, for example, as templates for cloud VMs or in a container registry.Â
In a client or server pentest, we analyze a reference implementation with respect to many aspects: Are accesses limited to a minimum? Is the system adequately hardened? Are all components up to date, including drivers, operating system, middleware and third-party applications? Is strong authentication used and are administrative accesses restricted? Is locally stored information access-protected, appropriately encrypted, and does not contain highly sensitive information such as credentials? Are hard drives encrypted and adequately protected in case of theft or loss?
We typically perform penetration testing of clients and servers using the whitebox approach. A penetration test includes the following steps:
Preparation
- Coordination of the scope and the depth of testing
- Kick-off meeting
Execution
- Automatic scans for vulnerabilities
- Manual analysis and hacking
Evaluation
- Creation of a detailed report
Methodologically, we follow proven guidelines when conducting penetration tests:
In terms of content, we are mainly guided by established standards:
- CIS Benchmarks (review of configurations)
- IT-Grundschutz (review of configurations)
- ISO/IEC 27001:2013 (for technical audits)
If necessary or useful, we extend these with standards from the OWASP project:
- Application Security Verification Standard (ASVS)
- Web Security Testing Guide
- Mobile Security Testing Guide
- OWASP Top Ten Projects, e.g. for Web Applications
In addition, we draw on our HvS vulnerability database, which is regularly fed with new attack vectors and test cases through our incident response and threat intelligence activities.
Penetration tests are the "classic" among assessments and a very good choice in many cases.
However, they reach their limits when, for example, several components are in scope at the same time, active testing is not permitted for legal reasons or due to failure risks, or a view "without operational blindness" is desired.
That is why we have further developed our assessment approaches. They differ in their objectives and in the use of different methods and techniques. We can flexibly combine these methods and offer you an individual assessment.
The only thing we need is a concrete objective or question, what you want to achieve with the results. Then we will find a good balance between the scope covered, the depth of testing and the degree of realism, thus keeping the effort and costs for the assessment within reasonable limits.Â
We will be happy to advise you on individual assessments, just get in touch! In the meantime, get inspired by our other assessments.