Penetration testing

Introduktion

Penetration testing requirements?
We will solve it!

All systems have vulnerabilities. Vulnerabilities that could increase the risk of data breaches if left untouched. A penetration test, or pentest, discovers vulnerabilities and identifies which ones are most critical. Having a picture of the system’s vulnerabilities makes it easier to prioritize resources to address them.

Contact Us

Do you want to know more about our service and solutions? Contact us and we will assist you.

This is what you get

The best support in pentesting

In addition to the fact that all systems have vulnerabilities that you want to identify and remove, the background to the need for a pentest can come from external requirements from investors, customers, suppliers or as a requirement for, for example, certifications. No matter where the need comes from, we understand the requirement and can deliver the best support for your penetration test.

We have a solid experience of different types of tests for companies and organizations where the assignments range from tests in simple environments to very complex. We carry out our assignments with highly experienced specialists according to a well-proven methodology and various industry practices. Conducting pentests is a craft and our testers take great personal responsibility to always deliver with the highest quality.

Our standard package includes retesting as part of our offer. We do this to ensure that the identified vulnerabilities are actually addressed. After the test is completed, we will provide you with a report of the results and recommendations, which we will review with you.

This is what we can test

Our penetration tests

No two companies’ IT environments are the same. It is therefore important that we go through the conditions and methods together with you to come up with a good solution. Common to all our penetration tests is that we follow industry standards and methods from OSSTMM, OWISAM, OWASP, OASAM, ISSAF, NIST, ISACA, SANS, Mitre Attack. We perform penetration tests on web applications, mobile applications, infrastructure and APIs but also have the possibility to customize a test based on your needs.

Pentest web application

A web application such as an e-commerce site, a booking system or a customer and supplier portal often stores and handles sensitive information.

By penetration testing the application, we can find vulnerabilities that in many cases can be exploited to either access sensitive information or to gain administrator access to underlying systems.

Benefits of penetration testing web applications

  • Identifying ways to manipulate the system
  • Finding security issues related to cookies
  • Identifies misconfigured security settings
  • Tests protection against injection attacks

Pentest mobile application

Vulnerabilities in mobile apps can potentially harm both businesses and mobile users.

Cybercriminals exploit vulnerabilities in mobile applications to either gain access to a company’s information assets or use it as a tool to spread malware to users. Our mobile application testing provides valuable insights into the vulnerabilities and issues of applications. These insights are primarily used to close security gaps, thereby protecting the client’s and the company’s information.

Benefits of penetration testing mobile applications

  • Identifies improper storage of sensitive information
  • Identifies misconfigured security settings
  • Identifies improper or unencrypted communication
  • Identifies authentication issues
  • Tests protection against injection attacks

Pentest infrastructure (network)

A pentest performed on the infrastructure can reveal which parts of the network are vulnerable and can be used as a gateway to access an underlying system.

We can test SQL servers, VPN servers and connections, mail servers, firewalls, FTP and file servers, interconnected third-party systems, and other inputs to the organization’s internal network and systems. In addition, we can also test the IT system’s operating system and examine and advise on how to configure it safely (hardening).

Benefits of penetration testing infrastructure

  • Finds and tests CVE vulnerabilities
  • Identifies flaws in firewall configurations
  • Identifies what an attacker can do if it is on the internal network or enters the network via a VPN connection

Pentest API

An API (application programming interface) is used to allow applications to communicate with each other.

Examples of such links are between the company’s website and CRM systems, analytical tools, payment systems or external forms. Our API pen test checks whether the API has vulnerabilities that can be exploited by an attacker. For example, strengthening the API endpoints can prevent customer information from being exposed to the attacker.

Benefits of penetration testing API connections

  • Identifies if the API connection exposes sensitive data
  • Identifies incorrect security settings and authorization structures
  • Tests protection against injection attacks

Några av våra kunder

Approach to our pen tests

Different ways to test

Once you have decided which target to penetration test, the next step is to decide how to perform the test. Our service is based on black, gray and white box pentests.

White Box

We get full access to the software source code and documentation and also have access to the environment.

This allows the penetration tester to focus on analyzing the system’s architecture, code structure and design. You could say that a whitebox penetration test tests from the inside out unlike a blackbox which tests from the outside in.

White Box penetration testing identifies potential weaknesses in software and is primarily used as a final step in the development of apps and systems to find and prevent potential vulnerabilities that could lead to data leaks and breaches.

Example: The penetration tester has full access to all information and identifies threats and risks by analyzing source code and documentation.

Grey Box

This is a middle ground between the Black Box and the White Box where we have some information about how the system works.

Grey Box simulates an attacker who has already penetrated the external protection and has some form of internal access to the network. This penetration test is more time-efficient as it skips the initial intrusion attempt and instead focuses on detecting errors in a single application or finding vulnerabilities in internal information-sensitive systems to which it is given possible access.

Example: The attacker has obtained a user account and tries to use it to escalate his/her permissions in the system.

Black Box

We know nothing about the system or the environment to be attacked and are completely unqualified.

The conditions are the same as for an outside attacker. The focus is mainly on attacking the external protection, but also further into the systems behind it. The black box is time-consuming but also provides a clear overall picture of how well the system is protected in the event of an intrusion attempt.

Example: The attacker attacks a web, or IP address to obtain information or cause damage.

Here’s how it works

Implementation and process of pentests

The methodology used to conduct pentests varies slightly depending on the scope and external conditions. It often involves four to six steps that can be repeated like a cycle. An example scenario for a Black Box pentest is described below.

  1. Collection of information on the target
    In addition to the main objective, are there secondary objectives with lower security? What underlying systems can the target be expected to have. Is there open information about the target, which IP addresses could be targeted and which can be obtained?
  2. Scanning of targets
    What open ports does the target have and what do the vulnerabilities look like in a vulnerability scan?
  3. Attack:
    Exploit the vulnerabilities and try to gain access to systems through, for example, open ports, login fields, system vulnerabilities, and so on.
  4. Conclusion:
    Closing the attack, gathering evidence, preparing vulnerability report and recommendations

As described above, pentesters often use a vulnerability scanning tool to scan the target for potential vulnerabilities in the system. Each vulnerability discovered is then tested to see if it can be used to penetrate the system. Validating that the potential vulnerability can be exploited in practice is the major difference between a vulnerability scan and a penetration test.

Questions and answers

Here are answers to the most frequently asked questions about penetration testing. Do you have a question that is not listed? Use the contact form further down the page.

Get in touch!