Penetration Test

Penetration Test2022-11-29T15:27:53+01:00

We test your cyber security

All systems have vulnerabilities. Vulnerabilities that could increase the risk of data breaches if left untouched. A penetration test, or pentest, finds the vulnerabilities and identifies which are the most critical. If you have a picture of the system’s vulnerabilities, you can more easily prioritize resources to fix them.

Our penetration tests are performed by professional hackers • Finds which vulnerabilities are most important to fix

Pentest utförs för att hitta sårbarheter och motverka dataintrång

Quality penetration testing

In addition to the fact that all systems have vulnerabilities that you want to identify and remove, the background to the need for a pen test can come from external requirements from investors, customers, suppliers or as a requirement for, for example, certifications. No matter where the need comes from, we understand the requirement and can deliver a qualitative penetration test.

We have solid experience in various types of penetration tests for companies and organizations where the assignments range from tests in simpler environments to very complex ones. We carry out our assignments with highly experienced specialists according to a well-proven methodology and various industry practices. Conducting pentests is a craft and our testers take a great deal of personal responsibility to always deliver with the highest quality.

Our standard package includes retests as part of our offer. We do this to ensure that the identified vulnerabilities are indeed addressed. After the penetration test is complete, we submit a report with results and recommendations that we review together with you.

Do you want to know more about our pen tests?

Get in touch with us and we’ll help you get started with your pen test.

Testimonials

Dustin Logotyp

Secify supports us in data protection issues and in our work with Data Privacy. In a trustworthy manner and with broad competence, Secify has contributed to our delivery.

Robert Ekvall, IT Security & Company Integration Lead

Our Services

No company’s IT environment is the same. It is therefore important that we go through the conditions and methods together with you to arrive at a good solution. Common to all our penetration tests is that we follow industry standards and methods from OSSTMM, OWISAM, OWASP, OASAM, ISSAF, NIST, ISACA, SANS, Miter Att§ck. We perform penetration tests on web applications, mobile applications, infrastructure and APIs, but also have the option of tailoring a penetration test based on your needs.

Web application

A web application such as an e-commerce site, a booking system or a customer and supplier portal often stores and handles sensitive information. By penetration testing the application, we can find vulnerabilities that in many cases can be exploited to either access sensitive information or to gain administrator access to underlying systems.

Benefits of Penetration Testing Mobile Applications

  • Identifies ways to manipulate the system
  • Finds security issues linked to cookies
  • Finds misconfigured security settings
  • Testing protection against injection attacks

Mobile application

Vulnerabilities in mobile apps can potentially harm both businesses and mobile users. Cybercriminals use the mobile application’s vulnerabilities to either gain access to the company’s information assets or as a tool to spread malicious code to the user. Our mobile application test provides valuable insights into application vulnerabilities and issues. These insights are primarily used to plug security holes and thus protect the client’s and company’s information.

Benefits of Penetration Testing Mobile Applications

  • Finds improper storage of sensitive information
  • Finds misconfigured security settings
  • Identifies incorrect or unencrypted communication
  • Identifies problems with authentication
  • Testing protection against injection attacks

Infrastructure (network)

A pen test performed on the infrastructure can reveal which parts of the network are vulnerable and can be used as a passage to access an underlying system. Here we can test, among other things, SQL servers, VPN servers and connections, email servers, firewalls, FTP and file servers, interconnected third-party systems and other entrances to the organization’s internal network and systems. In addition to that, we can also test the IT system’s operating system and investigate and advise to configure it in a safe way (hardening).

Pentest infrastructure (network)

  • Benefits of penetration testing infrastructure
  • Finds and tests CVE vulnerabilities
  • Identifies flaws in firewall configurations
  • Identifies what an attacker can do if they are on the internal network or enter the network through a VPN connection

API

An API (application programming interface) is used to allow applications to communicate with each other. Examples of such connections are between the company’s website and CRM system, analysis tool, payment system or external form. Our API pentest tests whether the API has vulnerabilities that can be exploited by an attacker. For example, by strengthening the API endpoints, customer information can be prevented from being exposed to the attacker.

Advantages of penetration testing API connectors

  • Identifies whether the API connection exposes sensitive data
  • Identifies incorrect security settings
  • Identifies incorrect permission structures
  • Testing protection against injection attacks

Different ways to test

Once you have decided which target is to be penetration tested, the next step is to decide how the test should be performed. In our service, we base ourselves on black, grey, and white box penetration tests.

Penetrationstest pågår på datorskärm

Black Box

We do not know anything about the system or the environment to be attacked and have no authority at all. The conditions are the same as for an external attacker.
The focus is mainly on attacking the external protection, but also further into the systems that lie behind. Black box is time-consuming but also gives a clear overall picture of how well the system is protected in the event of a possible intrusion attempt.

Example: The attacker attacks a web, or IP address to usurp information or cause damage.

Grey Box

This is something in between Black Box and White Box where we have some information about how the system works. Gray Box simulates an attacker who has already penetrated the external protection and has some kind of internal access to the network. This penetration test is more time-efficient as it skips the initial penetration attempt to focus instead on detecting errors in a single application or finding vulnerabilities in internal information-sensitive systems to which access is possible.

Example: The attacker has come across a user account and with this tries to escalate his permissions in the system.

White Box

We get full access to the software’s source code and documentation and also have access to the environment. With that, the penetration tester can focus on analyzing the system’s structure, code structure and design. You could say that a whitebox penetration test tests from the inside out, unlike a blackbox which tests from the outside in. White Box penetration testing identifies potential weaknesses in the software and is primarily used as a final step in the development of apps and systems to find and prevent potential vulnerabilities that could lead to data leaks and intrusions.

Example: The penetration tester has full access to all information and identifies threats and risks by analyzing source code and documentation.

Utförande av pentest på tangentbord

Implementation and process of our penetration tests

The methodology used to carry out penetration tests looks a little different depending on the scope and external conditions. Often it is about four to six steps that can be repeated like a cycle. An example scenario for a Black Box pen test is described below.

  1. Collection of information about the target
    In addition to the main target, are there secondary targets with lower security? What underlying systems can the target be expected to have. Is there open information about the target, which IP addresses may be relevant for an attack and which can be obtained?
  2. Scanning targets
    What open ports does the target have and what do the vulnerabilities look like in a vulnerability scan?
  3. Attack:
    Exploit the vulnerabilities and try to gain access to systems by, for example, opening ports, login fields, vulnerabilities in systems, and so on.
  4. Finish:
    Conclude the attack, compile evidence, report on vulnerabilities and make recommendations

As we described above, pentesters often use a vulnerability scanning tool to scan the target for potential system vulnerabilities. Each vulnerability discovered is then tested to see if it can be used to penetrate the system. Validating that the possible vulnerability can be exploited in practice is the big difference between a vulnerability scan and a penetration test.

FAQ

Here are answers to the most common questions about penetration testing. Do you have a question that is not listed? Use the contact form further down the page.

What do you get after penetration testing?2022-10-28T06:31:26+02:00

After a completed penetration test, you will receive a report that we will review together with you. You also receive proof in the form of a certificate after a completed test.

Are you protected after a pentest?2022-10-28T06:31:27+02:00

In 2021, 55 new vulnerabilities were identified every day. This means that a system can never be completely free of vulnerabilities. Having said that, you will be more protected if you implement the measures after a penetration test. If you have good basic protection and perform regular penetration tests and actions, attackers will usually not try to get in when there are simpler targets that do not perform penetration tests or actions.

What can be penetration tested?2022-10-28T06:31:27+02:00

The most common is to penetration test a system that is critical to the business, but a penetration test can be done on basically everything from new products to connections between companies. The purpose of the pen test is to find and test security holes in order to increase security, and security can be increased on many different types of targets.

How long does it take to conduct a penetration test?2022-10-28T06:31:27+02:00

It of course depends on the conditions of the penetration test and the type of penetration test to be done, but for a standard black box test you can count on it taking about a month from the time the project is started until you have a report in your hand.

What is a red team and blue team exercise and why is this carried out?2022-10-28T06:31:27+02:00

A red team and blue team exercise is conducted to simulate a cyber attack. The blue team works on defense and protection measures while the red team is the team that carries out the attack. Read team and blue team exercises are conducted to test the ability to defend and prepare against external attacks.

What is the difference between a Blackbox test and a Greybox test?2022-10-28T06:31:27+02:00

In a Blackbox test, you don’t know anything about the system or the environment to be attacked and have no authority at all. In a Greybox test, you have access to a user account and certain information about how the system works.

What is the most common type of pen test?2022-10-28T06:31:27+02:00

The black box test is the most common form of penetration test. The starting point for the penetration tester is the same as for the attacker. There is a complete lack of information about the underlying network structure and system.

What should you consider before buying a pen test?2022-10-28T06:31:28+02:00

Before buying a pen test, it is good to map your systems. This is done to identify which critical information assets and systems you have and where in the network they are located. When you have that overview in front of you, you know what is worth protecting and which system or part of the network that should be tested. When choosing a supplier, you must always ensure that the penetration testers are certified testers who follow the methods and frameworks that apply to the market, such as OWASP and OSSTMM. The result of the penetration test will never be better than the penetration tester himself.

How often should you pentest?2022-10-28T06:31:28+02:00

How often you penetration test depends entirely on what you are testing and how often systems and environments are updated. A rule of thumb is to test at least once a year in cases where you do not make major releases or changes to what is to be tested.

What is the next step after the penetration test?2022-10-28T06:31:28+02:00

After the pentest, you get a report that shows what the vulnerabilities are and how best to fix them. After the security engineer or system engineer has analyzed the report, they then prioritize and fix those that are relevant to plug the security holes

Who is performing the penetration testing?2022-10-28T06:31:28+02:00

A penetration tester is a person who, with their own knowledge and experience, tests systems with the aim of revealing security flaws. The penetration tester is usually called a white hat hacker or an ethical hacker who, unlike the black hat hacker, hacks systems for a good purpose.

Can you do a penetration test yourself?2022-10-28T06:31:28+02:00

It is absolutely possible to perform a penetration test yourself, on your own environment. But for the pentest to be relevant, it should be performed by a person who has extensive experience and/or extensive knowledge of methodology, vulnerabilities and data breaches. Otherwise, there is a big risk that the actions after the penetration test are done on the wrong things. If you want to penetration test your systems yourself, we recommend that you buy a vulnerability scan instead.

Are there any risks with penetration testing?2022-10-28T06:55:30+02:00

Yes, there are risks. Older systems that lack updates or that frequently crash under load are often more likely to also crash during a penetration test. What should be remembered is that that crash is always a sign of a vulnerability in the system, which the penetration test can find and which you can fix afterwards.

Get in touch!

If this seems interesting to your company, you can either send a message using the contact function, or simply pick up the phone and call.

Phone: +46 20 – 66 99 00
Visiting address: Östra Storgatan 67, Jönköping