Frequently Asked Questions - Pentestco
What is a penetration test?A penetration test is an interactive security test undertaken to identify security vulnerabilities that are actually exploitable. Our penetration test sessions are conducted by trained and qualified professionals. There are many types of penetration tests, including network penetration tests and host configuration tests, web application penetration tests, wireless network penetration tests, client-server application penetration tests, mobile device penetration tests, and social engineering, to name a few.
All penetration testing performed by Pentestco are web application penetration tests.
What are blackbox and whitebox penetration tests?A blackbox test is normally defined as a test where the penetration testers do not have any more information than attackers without internal knowledge might have. The idea is to check how deeply potential attackers can compromise your systems without any kind of internal information or access.
All knowledge has to be gathered with classical reconnaissance (finding as much information as possible about the target) and enumeration (a deeper look at individual systems).
This does not pose a restriction for real attackers, but for every reputable company it should go without saying that all phases of a penetration test are only performed where explicit consent is given.
In a whitebox test, the penetration testers already have internal knowledge about the target systems (for example network plans or a web application's source code) and possibly various access permissions. The latter could be an unprivileged user account to the company network, as it is available to employees, or login credentials for a web application like any normal customer would have. This allows to test to what extent users with access to a system can misuse their permissions. Additionally, internal information may be provided that is also available to every staff member of company
Why should we conduct a penetration test?IT is an integral part of every company's business today. Therefore, not only the amount of business-critical data that is stored on IT systems grows, but also the dependency on a working IT infrastructure. This leads to an increased amount of attacks against IT systems in the form of industrial espionage, denial of service attacks and other possibilities to significantly harm a company. Important corporate secrets are spied on and sold to competitors. The availability of systems is interrupted, as a non-working IT is causing more and more problems today. No new orders are placed, because competitors somehow always have the better offer.
A penetration test gives you information about your systems' vulnerabilities, how probable a successful attack against your infrastructure is and how you can protect yourself against potential security breaches in the future. An overview of a penetration test's benefits is available under benefits.
What is the workflow of a penetration test?Once you register the website to be audit, Pentestco will verify you have permision to run a penetration testing session on the requested website using one of the three following methods:
- Sending an email with a security password to an email address of the same domain than the website to be audited;
- Adding a TXT record for that domain
- Adding a META data in the index.html of your website
What time investment does Pentestcio estimate for a penetration test?The time investment for a web application penetration test varies from case to case depending on how many URL's to audit, but usually, the time needed ranges from 1 to 5 days.
Can any harm be done to our productive systems during the test?Unlike real attackers, Pentestco pays great attention to a customer's production systems, so as to not interrupt them. We always go to the greatest extent to leave all systems unharmed in a penetration test. Attacks where the risk of a system failure is especially high are only performed with the client's explicit consent.
Are the results written down in a report?Every client gets a detailed report at the end of a penetration test. A typical report includes an extensive technical explanation for administrators, developers or other technical staff. The individual problems enumerated in the report are separated into a detailed description, a risk analysis and proposed solutions, to directly give suggestions for improvement.
How is Pentestco different from other companies that offer penetration tests?Pentestco specialises exclusively in web application penetration tests, in contrast to many other companies in IT-security for which penetration tests are one of many business offerings. As the expertise for conducting a penetration test with specialized security experts is absent in many cases, quite often automated security scans are sold as penetration tests.
The results are documented in a detailed report by the penetration testers that performed the test, with the ambition to communicate the necessary knowledge about the vulnerabilities in an understandable way. For our customers, this means that vulnerabilities can be better comprehended and issues solved more efficiently. Pentestco particularly does not sell any other services before or after a penetration test. The penetration test should not serve to sell extra services, but should be an independent security examination.
Additionally, Pentestco provides extra functionalities via the website such as comprehensive graphs for interpreting easily results, historical result comparison and advanced search for all audited URL's which ease later any amending phase.
Are Pentesco prices clear?You will pay once the penetration testing session is finished and the report is complete. Pentestco will provide you initially an estimation before starting the penetration testing session. In order to estimate, we provide a FREE and limited penetration testing. With this FREE session we can advise you to contract a full penetration testing session if we think it is necessary.
Pentestco does not charge any other fees apart from the penetration testing session cost plus VAT if it applies.