Our team of specialists has been conducting technical security tests for many years. In the role of a fictitious attacker, we test existing IT infrastructures and applications from the outside and inside. We use tools where they facilitate work steps but focus on the creativity of the tester in manual tests.
Penetration tests
As auditors, we examine the configuration of security systems and IT components or check the source code of critical applications for the secure implementation of critical functions. In doing so, we always pursue the goal of deducing the causes from the symptoms identified in the test and to start at the right place with our recommendations in order to permanently improve security.
The specialists deployed have in-depth knowledge of security mechanisms and attack techniques. We not only comprehensively cover “classic” office IT, but can also examine control and management systems, plants, and embedded systems, e.g. in medical technology, manufacturing, or supply networks.
However, our specialists also bring practical experience from system operation or application development and therefore focus their recommendations for achieving a state-of-the-art security level on practicable solutions.
Our extensive cyber response activity enables us to realistically assess the relevance of identified vulnerabilities and propose sensible priorities for action implementation. We have proven our expertise and our testing methods, which combine our own experience with international standards such as the recommendations of the OWASP project or the implementation recommendations for penetration tests, with our certification as a provider of penetration testers.
Stay one step ahead of hackers with regular pentests
Pentests are approved attacks by our specialists on your IT systems, which are based on realistic scenarios and attacks observed in practice. The so-called penetration testers check, for example, your computers, servers, networks, and web applications for security vulnerabilities. In doing so, they use methods that are also used by hackers and experienced attackers and thus uncover targeted vulnerabilities. Pentests thus form the basis for timely detection and elimination of vulnerabilities.
Before the start of a project, we work with you to determine your risk potential and, based on this, coordinate the scope of our tests. Thus, we often subject websites that are publicly accessible from the outside to more extensive testing than internal applications that are not highly relevant. We record our penetration tests in a report and add proposed solutions that subsequently enable you to improve your IT security. Penetration testing is largely performed manually and provides a snapshot of the security of your IT landscape.
The penetration test checks your IT security
By definition, the goal of penetration testing is to identify vulnerabilities in your IT infrastructure in order to increase IT security in your organization. Where appropriate, pentests are further supplemented by technical audits or interviews with contacts to obtain a more comprehensive overview of the security level. Technical, as well as human and organizational vulnerability, is put to the test during IT security checks. With a detailed test report, we document your status quo and provide you with all the information you need to remedy the identified vulnerabilities.
Legal requirements for pentesting
Before performing a penetration test, the consent of the company to be tested is essential. Without the written consent, the pentests are illegal and constitute a criminal offense. The test may only relate to objects that clearly belong to the company being tested. Third-party IT systems, such as cloud services, may not be tested without their additional consent. The clear clarification lies with the client in advance. The higher the number of external IT services, the more complex the clarification usually is. It is therefore advisable to contractually regulate the possibility of performing pentests and security checks with the service providers in advance.
The test structure
External penetration testing examines areas of a network that are publicly accessible from the Internet. Our analysts look at your system with the glasses of an external attacker and partially guess internal structures to penetrate your IT system. Of course, you only move within the agreed test scope.
In a black-box test, the penetration tester only knows the target address. This simulates a typical attacker who has little knowledge of the target system. In contrast, in a white-box test, the tester has extensive information such as internal IP addresses and the software and hardware used on the IT systems to be tested. The gray box test is, as the name suggests, a combination of the two previously mentioned tests. The penetration tester already receives some information, such as login credentials, and analyzes the other information on its own. This is the most commonly used type of test and represents a good compromise between cost, speed, effort, and reliable results. In general, the following criteria form the basis of our work:
- Information base;
- Aggressiveness;
- Scope;
- Approach;
- Technique;
- Starting point.
Depending on the individual requirements of your IT system and infrastructure, we put together the pentest in consultation with you. Here we differentiate in individual test steps, whether it is pure information gathering or active intrusion attempts. Our experienced pentesters and auditors work with you to put together the best possible test plan, focusing on the systems and interfaces that are particularly at risk.