Security Assessment and Penetration Testing
Identify security issues early and provide viable recommendations.
We conduct black box, grey box and white box penetration tests and structured assessments for infrastructures and applications.
Choosing the right assessment type
While black, grey and white box testing are established types of penetration testing exercises, we would like to turn your attention to a service we call "structured assessment". Our structured assessments expand the scope of white box penetration tests, including one or two 3-hour audit sessions with the operating/developing line of business and discuss the architecture of the service, delivery models, business processes and support processes. Additionally, we discuss with the operating line of business typical IT-related processes like back-up and restore, administration, user and authorizations management, patch management processes, decommissioning, etc. At the beginning of the structured assessment this extended scope provides to us a great foundation knowledge of the assessment target which will be penetration tested later on, and helps us identify process-related deficiencies. The next step of the assessment is a classical white box penetration testing exercise. While the white box exercise would be a snapshot of the security state at a point of time, the extended scoping of the structured assessment will ensure that possible future deficiencies are also addressed by appropriate processes. For instance, in patch management, the white box exercise will validate the patch state at a point of time, while the process review performed as part of the structured assessment will ensure that a solid patch management process is established for the future.
In agreement with the customer we will define an appropriate scoping and discuss resources.
During the pre-arranged time frame the assessment is performed on the customer's site or remotely. Results will be documented in agreement with the customer. An assessment report will be created and handed over to the customer.
We offer an additional service where we perform regular follow-up activities in order to track the status of mitigating activities, clarify questions and guide operations and development during the fixing phase.
We offer an additional service where we retest identified issues and ensure that mitigating activities were successful.