We test your cyber security
All systems have vulnerabilities. Vulnerabilities that could increase the risk of data breaches if left untouched. A penetration test, or pentest, finds the vulnerabilities and identifies which are the most critical. If you have a picture of the system’s vulnerabilities, you can more easily prioritize resources to fix them.
Our penetration tests are performed by professional hackers • Finds which vulnerabilities are most important to fix
Quality penetration testing
In addition to the fact that all systems have vulnerabilities that you want to identify and remove, the background to the need for a pen test can come from external requirements from investors, customers, suppliers or as a requirement for, for example, certifications. No matter where the need comes from, we understand the requirement and can deliver a qualitative penetration test.
We have solid experience in various types of penetration tests for companies and organizations where the assignments range from tests in simpler environments to very complex ones. We carry out our assignments with highly experienced specialists according to a well-proven methodology and various industry practices. Conducting pentests is a craft and our testers take a great deal of personal responsibility to always deliver with the highest quality.
Our standard package includes retests as part of our offer. We do this to ensure that the identified vulnerabilities are indeed addressed. After the penetration test is complete, we submit a report with results and recommendations that we review together with you.
Do you want to know more about our pen tests?
Get in touch with us and we’ll help you get started with your pen test.
Secify supports us in data protection issues and in our work with Data Privacy. In a trustworthy manner and with broad competence, Secify has contributed to our delivery.
Robert Ekvall, IT Security & Company Integration Lead
Några av våra kunder
No company’s IT environment is the same. It is therefore important that we go through the conditions and methods together with you to arrive at a good solution. Common to all our penetration tests is that we follow industry standards and methods from OSSTMM, OWISAM, OWASP, OASAM, ISSAF, NIST, ISACA, SANS, Miter Att§ck. We perform penetration tests on web applications, mobile applications, infrastructure and APIs, but also have the option of tailoring a penetration test based on your needs.
Vulnerabilities in mobile apps can potentially harm both businesses and mobile users. Cybercriminals use the mobile application’s vulnerabilities to either gain access to the company’s information assets or as a tool to spread malicious code to the user. Our mobile application test provides valuable insights into application vulnerabilities and issues. These insights are primarily used to plug security holes and thus protect the client’s and company’s information.
Benefits of Penetration Testing Mobile Applications
- Finds improper storage of sensitive information
- Finds misconfigured security settings
- Identifies incorrect or unencrypted communication
- Identifies problems with authentication
- Testing protection against injection attacks
A pen test performed on the infrastructure can reveal which parts of the network are vulnerable and can be used as a passage to access an underlying system. Here we can test, among other things, SQL servers, VPN servers and connections, email servers, firewalls, FTP and file servers, interconnected third-party systems and other entrances to the organization’s internal network and systems. In addition to that, we can also test the IT system’s operating system and investigate and advise to configure it in a safe way (hardening).
Pentest infrastructure (network)
- Benefits of penetration testing infrastructure
- Finds and tests CVE vulnerabilities
- Identifies flaws in firewall configurations
- Identifies what an attacker can do if they are on the internal network or enter the network through a VPN connection
An API (application programming interface) is used to allow applications to communicate with each other. Examples of such connections are between the company’s website and CRM system, analysis tool, payment system or external form. Our API pentest tests whether the API has vulnerabilities that can be exploited by an attacker. For example, by strengthening the API endpoints, customer information can be prevented from being exposed to the attacker.
Advantages of penetration testing API connectors
- Identifies whether the API connection exposes sensitive data
- Identifies incorrect security settings
- Identifies incorrect permission structures
- Testing protection against injection attacks
Different ways to test
Once you have decided which target is to be penetration tested, the next step is to decide how the test should be performed. In our service, we base ourselves on black, grey, and white box penetration tests.
We do not know anything about the system or the environment to be attacked and have no authority at all. The conditions are the same as for an external attacker.
The focus is mainly on attacking the external protection, but also further into the systems that lie behind. Black box is time-consuming but also gives a clear overall picture of how well the system is protected in the event of a possible intrusion attempt.
Example: The attacker attacks a web, or IP address to usurp information or cause damage.
This is something in between Black Box and White Box where we have some information about how the system works. Gray Box simulates an attacker who has already penetrated the external protection and has some kind of internal access to the network. This penetration test is more time-efficient as it skips the initial penetration attempt to focus instead on detecting errors in a single application or finding vulnerabilities in internal information-sensitive systems to which access is possible.
Example: The attacker has come across a user account and with this tries to escalate his permissions in the system.
We get full access to the software’s source code and documentation and also have access to the environment. With that, the penetration tester can focus on analyzing the system’s structure, code structure and design. You could say that a whitebox penetration test tests from the inside out, unlike a blackbox which tests from the outside in. White Box penetration testing identifies potential weaknesses in the software and is primarily used as a final step in the development of apps and systems to find and prevent potential vulnerabilities that could lead to data leaks and intrusions.
Example: The penetration tester has full access to all information and identifies threats and risks by analyzing source code and documentation.
Implementation and process of our penetration tests
The methodology used to carry out penetration tests looks a little different depending on the scope and external conditions. Often it is about four to six steps that can be repeated like a cycle. An example scenario for a Black Box pen test is described below.
- Collection of information about the target
In addition to the main target, are there secondary targets with lower security? What underlying systems can the target be expected to have. Is there open information about the target, which IP addresses may be relevant for an attack and which can be obtained?
- Scanning targets
What open ports does the target have and what do the vulnerabilities look like in a vulnerability scan?
Exploit the vulnerabilities and try to gain access to systems by, for example, opening ports, login fields, vulnerabilities in systems, and so on.
Conclude the attack, compile evidence, report on vulnerabilities and make recommendations
As we described above, pentesters often use a vulnerability scanning tool to scan the target for potential system vulnerabilities. Each vulnerability discovered is then tested to see if it can be used to penetrate the system. Validating that the possible vulnerability can be exploited in practice is the big difference between a vulnerability scan and a penetration test.
Here are answers to the most common questions about penetration testing. Do you have a question that is not listed? Use the contact form further down the page.
After a completed penetration test, you will receive a report that we will review together with you. You also receive proof in the form of a certificate after a completed test.
In 2021, 55 new vulnerabilities were identified every day. This means that a system can never be completely free of vulnerabilities. Having said that, you will be more protected if you implement the measures after a penetration test. If you have good basic protection and perform regular penetration tests and actions, attackers will usually not try to get in when there are simpler targets that do not perform penetration tests or actions.
The most common is to penetration test a system that is critical to the business, but a penetration test can be done on basically everything from new products to connections between companies. The purpose of the pen test is to find and test security holes in order to increase security, and security can be increased on many different types of targets.
It of course depends on the conditions of the penetration test and the type of penetration test to be done, but for a standard black box test you can count on it taking about a month from the time the project is started until you have a report in your hand.
A red team and blue team exercise is conducted to simulate a cyber attack. The blue team works on defense and protection measures while the red team is the team that carries out the attack. Read team and blue team exercises are conducted to test the ability to defend and prepare against external attacks.
In a Blackbox test, you don’t know anything about the system or the environment to be attacked and have no authority at all. In a Greybox test, you have access to a user account and certain information about how the system works.
The black box test is the most common form of penetration test. The starting point for the penetration tester is the same as for the attacker. There is a complete lack of information about the underlying network structure and system.
Before buying a pen test, it is good to map your systems. This is done to identify which critical information assets and systems you have and where in the network they are located. When you have that overview in front of you, you know what is worth protecting and which system or part of the network that should be tested. When choosing a supplier, you must always ensure that the penetration testers are certified testers who follow the methods and frameworks that apply to the market, such as OWASP and OSSTMM. The result of the penetration test will never be better than the penetration tester himself.
How often you penetration test depends entirely on what you are testing and how often systems and environments are updated. A rule of thumb is to test at least once a year in cases where you do not make major releases or changes to what is to be tested.
After the pentest, you get a report that shows what the vulnerabilities are and how best to fix them. After the security engineer or system engineer has analyzed the report, they then prioritize and fix those that are relevant to plug the security holes
A penetration tester is a person who, with their own knowledge and experience, tests systems with the aim of revealing security flaws. The penetration tester is usually called a white hat hacker or an ethical hacker who, unlike the black hat hacker, hacks systems for a good purpose.
It is absolutely possible to perform a penetration test yourself, on your own environment. But for the pentest to be relevant, it should be performed by a person who has extensive experience and/or extensive knowledge of methodology, vulnerabilities and data breaches. Otherwise, there is a big risk that the actions after the penetration test are done on the wrong things. If you want to penetration test your systems yourself, we recommend that you buy a vulnerability scan instead.
Yes, there are risks. Older systems that lack updates or that frequently crash under load are often more likely to also crash during a penetration test. What should be remembered is that that crash is always a sign of a vulnerability in the system, which the penetration test can find and which you can fix afterwards.