Penetration testing, also known as pentest, is a service for assessing the security of information and communication infrastructure, tools and methods for simulating an attacker.

The research is carried out from the perspective of a potential attacker and includes active exploitation of vulnerabilities in the Customer's system. These vulnerabilities can exist in operating systems, services and applications, misconfiguration, or dangerous end-user behavior.

The result of the work is a report containing all the security vulnerabilities found and recommendations on how to eliminate them.

Penetration testing can involve attempting to compromise any number of application systems (e.g. application protocol interfaces (APIs), external / internal servers) in order to identify vulnerabilities.

Why is penetration testing so important? 

Pentest evaluates an organization's ability to protect its networks, applications, and end users from external or internal attempts to bypass security measures and gain unauthorized access to protected resources.

It is an opportunity for a company to identify various risks and take a proactive approach to security. Also, to make sure that existing security programs are working, and to increase confidence in the security strategy.

Types of testings:

• External network penetration testing: analysis of the customer's external perimeter in order to compromise protection and gain access to the internal network;

• Internal network penetration testing: analysis of the internal infrastructure of the information network in order to gain access to resources and elevate privileges to an administrator;

• Wireless penetration testing: analysis of the organization's wireless networks within the coverage area and having access to the organization's network in order to gain access to the corporate network;

• Protected segment (Swift, PCI DSS, etc.): from the point of view of an internal intruder - possessing a domain account, whose goal is to completely compromise the infrastructure of the protected network and operator workstations;

• Social Engineering Testing: analysis of the organization's readiness for attacks through personnel, phishing messages, information disclosure, the use of restricted devices.

Service composition:

• Determination of the type and goals of testing: obtaining information from the customer about the type of test being performed, goals and the desired attack vectors

• Information gathering: intelligence, obtaining information from open sources, identifying vulnerabilities

• Vulnerability analysis: analysis and exploitation of identified vulnerabilities in order to obtain unauthorized access to the customer's information resources

• Documentation: documenting the information obtained during the analysis and exploitation of vulnerabilities, describing the methods and identified inconsistencies

• Report: a description of the identified deficiencies, testing progress, recommendations for elimination, conclusions for the Customer's management, containing an overall assessment of the security level

Penetration testing techniques:

• OSSTMM - The Open Source Security Testing Methodology Manual
• NIST SP800-115 - NIST Special Publications 800 Series
• OWASP - Open Web Application Security Project
• ISSAF - Information System Security Assessment Framework
• PTES - Penetration Testing Methodologies and Standards

In addition to analyzing networks and web resources, we also analyze the security of mobile applications in order to obtain sensitive data and search for vulnerabilities in a specific mobile application.

Testing the security of mobile applications is most often carried out according to the OWASP top 10 Mobile method.

Pentest of mobile applications includes learning logic, handling confidential information, secure communication between various APIs.

Contact us now to receive comprehensive information about all the technical features and benefits of the pentest service!