A penetration test, also known as a pen test, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities
Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
External penetration tests target the assets of a company that are visible on the internet, e.g. the web application itself, the company website, cloud integrations and services.
In an internal test, a tester will assess the assets of a company that are inside the company, e.g internal web portals, databases and middleware, wireless devices and internal network.
Web Application & Mobile Application Penetration Testing
In a web application penetration test, we assess the resilience of the application by checking for remotely exploitable vulnerabilities, flaws in the application architecture, design and implementation, assessing the controls of user access, privilege levels, development and delivery, and overall design of the applications. This allows for a complete threat profile of a web application’s environment.
These Penetration Tests are designed around the following well known security assessment guides such as:
Network Penetration Testing
In a network penetration test, the process includes identifying the targets, fingerprinting and reconnaissance, identification of vulnerabilities and lastly exploitation.
The exploitation of these vulnerabilities is based upon whether it was pre-emptively decided to be included in the engagement. Limited exploitation is always taken care of, so as to not cause possible issues from such exploitation methods.
Automated Port Scanning and Exposure Identification
For large and very large networks, periodically scanning a large range of IP addresses, determine what ports are open, and attempt to identify the service running on those ports and their state of exploitability is a must. Conducting such automations allows bigger organizations to easily identify newly added assets, evaluate exposure towards known vulnerabilities and lead a step further towards cyber resiliency.
The White Box Approach
In white box approach, both the tester and the organization work together and keep each other appraised of their movements. This is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view.
The Grey Box Approach
In a grey box approach, the organization works with the tester to understand the application’s workflow and relevant information and necessary accesses to test a variety of test cases. The tester is not divulged information of the underlining architecture and network.
The Black Box Approach
In a black box approach, the tester is only given the name of the enterprise that’s being targeted. This gives organization a real look into how an actual application assault would take place.