Pen testing explained in plain language.
If you are considering a first-time pen test, then you may be overwhelmed with buzzwords. We'll help you sort those out.
- Is penetration testing safe?
- Does my business need pen testing?
- Is pen testing expensive?
- What types of testing can be performed?
If you have a question that is not answered here, submit a question using the form at the bottom of this page or contact us on Twitter!
Is penetration testing safe?
Safety is the number one concern about pen testing for most business owners. A careless pen test may lead to interruptions in important business functions, causing outages and real monetary loss.
We take your safety concerns very seriously. Each project begins with a rules of engagement, which describes what techniques our assessors will use and which systems our assessors will target. This allows us to steer clear of mission-critical systems. We also include a communication plan, which allows our assessors to stay in touch with the customer at all times and communicate about any potential problems or clarify any concerns. We also offer a daily debrief to highlight potential issues.
Furthermore, our assessors are bound by a strong code of ethics to treat all business functions, users, and data with the respect that they deserve. Our team never intentionally accesses sensitive data such as PII, PHI, SBU, or client-privileged data.
Does my business need pen testing?
If your business has a web site, runs a social media account, or offers free WiFi to your customers, then a breach is very real risk—even if that risk is not apparent to you yet.
Even if you have a security program and some threat monitoring, these offer broad but shallow insight. For example, you may have security scanners, tools or appliances that automatically detect malicious activity or vulnerabilities and report them to you. These tools can provide coverage for thousands of devices, but they also have very shallow coverage of potential issues and they do not represent the capabilities of a skilled attacker.
Pen testing provides narrow and deep insight that complements these security tools. We highlight real risks by demonstrating how an attacker can target specific vulnerabilities to bypass your defenses. We chain multiple vulnerabilities together to move deeper into your network and closer to your sensitive data and business functions, mimicking the pivoting action of a real attacker.
We recommend penetration testing only for businesses with an existing security program. If your business doesn't yet have a security program or security processes, then a penetration test is not the best place to start.
Is pen testing expensive?
Not as expensive as a data breach.
A good, full scope penetration test is affordable even for small businesses. We estimate a price based on the number and size of the applications or enterprise network surface to be tested. We've tested everything from a small application with few hundred lines of code to large, multinational corporate enterprises. We strongly believe that cost should never be an impediment to security, so we'll work with you to find a scope that fits your budget.
What types of testing can be performed?
These are some of the commonly used terms you will come across when planning a penetration test.
- Black Box
- The assessors have no prior knowledge about the customer, placing them in the same situation as most real attackers. The assessors conduct passive reconnaissance with sources like Google and LinkedIn, and then conduct active reconnaissance such as network scanning.
- White Box
- The assessors are provided with some knowledge of or access to the target systems, such as hostnames, network diagrams, user credentials, etc. White box testing is usually performed as a followup to black box testing to examine more specific scenarios.
- External
- The assessors attack targets over the internet, using the same level of access that most real attackers start with. This type of testing is typically conducted remotely.
- Internal
- The assessors have access to some internal resources, such as the corporate network. This type of testing can be conducted remotely using a customer-provided VPN, or the testing can be conducted on-site.
- Network
- The assessors target a broad range of networked systems, including computers, phones, tables, routers, printers, servers, etc. looking for vulnerable or misconfigured devices.
- Web
- The assessors target a specific web site or web application, typically created or maintained by the customer, focusing deeply on the authentication, session management, encryption, and business logic. The assessors focus on unique and novel exploits.
- Application
- The assessors target a specific native application, such as a desktop application or server application. The assessors use binary fuzzing and network protocol fuzzing to identify potential vulnerabilities, then develop working exploits to determine the ramifications of each vulnerability.
- Source Code Review
- The assessors review the source code of an application to identify potential vulnerabilities. This approach is very effective when combined with one of the approaches above: the assessors use a combination of source code review and dynamic testing to find and confirm vulnerabilities.