Pentest: Our Approach
Guaranteed quality and transparency
How do we get started on your Penetration Test project?
Some preparatory steps are necessary before the actual Penetration Test (Pentest) can be conducted to ensure an analysis that is tailored to your company in the best possible way. Important criteria for defining your scope are the need for protection, possible impact of a compromise and the time allocated for the Pentest. Based on these preliminary considerations, we define the scope together.
What standards do we consider when conducting Pentests?
When conducting Penetration Tests, we take the following international standards and best practices into account:
- Payment Card Industry Data Security Standard (PCI DSS)
- Open Source Security Testing Methodology Manual (OSSTMM)
- Technical Guide to Information Security Testing and Assessment (NIST SP800-115)
- Recommendations of the German Federal Office for Information Security (BSI)
- Open Web Application Security Project (OWASP)
We will be happy to tailor our process model to the requirements of your company and help you to meet your regulatory requirements.
What is our approach to Penetration Testing?
Preperation and kick-off
Our Pentest Service Management supports you in the acquisition of information and documents relevant for the kick-off meeting. We prepare the Pentest at a kick-off meeting with the technical and organizational specialists of your company. In this meeting, we specify the IT infrastructure to be tested, agree on the necessary user accounts and access paths, and define contact persons and escalation paths. Furthermore, we discuss project-specific details with you such as the metrics for the vulnerability assessment or the language of the report.
We conduct our Pentests primarily on the basis of a grey-box approach. This approach combines the advantages of an attacker's perspective with those of an insider and thus helps to obtain meaningful results in a relatively short time. On request, we can conduct our Pentests on the basis of a black- or white-box approach.
Examination
We will inform you in time about the start date and send you a reminder in advance. Subsequently, our security analysts will start the Pentest in consideration of the criteria specified in the kick-off. The Pentest can be conducted on your site or remotely via the Internet from usd's network or via a VPN tunnel. If you are unable to provide network access for the Pentest, we offer you the usd OrangeBox, a simple and secure way to perform the Pentest remotely with usd. We stay in constant dialogue with you throughout the entire analysis and, on request, keep you informed about the start and end time of the test activities, progress and status on a daily basis. If we find critical vulnerabilities during the test, we will inform you immediately.
First of all, the systems and applications to be tested are analyzed for their attack surface. Potential vulnerabilities can be identified and verified by using different techniques and applying our usd HeroLab toolchain and well-established tools. Thanks to our toolchain, we have more time for extensive, manual analysis. The exploitation of identified, potential vulnerabilities, which could with a high probability affect the availability of IT systems and applications, is discussed with you on a case-by-case basis and only carried out after your explicit approval.
Report
Our security analysts will inform you about the results of the Pentest once the analysis has been completed. You will receive a comprehensive report comprising an executive summary and a technical report in either German or English. This gives you a thorough overview of potential threats and vulnerabilities in your IT infrastructure. This report contains the identified risks and recommendations for corrective measures, so that you can sustainably increase your security level and minimize your risks.
Besides our own risk rating, we offer the vulnerability scoring according to internationally recognized metrics (for example Common Weakness Scoring System (CWSS) or Common Vulnerability Scoring System (CVSS). We are happy to consider your individual customization requests for the report, such as your own risk rating or adaptation to special regulatory requirements.
During PCI DSS pentests, we identify relevant vulnerabilities for your PCI DSS v4.0 compliance and provide detailed information on the affected requirements.
We discuss the results together in a final telephone call and clarify any open questions.
Optional: Test report
Our test report is an additional document and goes beyond the final report. It summarizes the scope as well as the results of the analysis. Here we show, which attack vectors were tested in connection with which functions and with which result - even if no vulnerabilities were identified. This gives you greater transparency, allows you to evaluate the quality of our analysis and, for example, meets BaFin's requirements for your Pentest report.
Remediation
The Remediation phase comprises the most important steps after Pentests and technical security analyses have been conducted. Here, your company eliminates the identified vulnerabilities based on the recommendations of our security analysts. This is an integral part of improving or enhancing your IT security level.
The remediation of a vulnerability can vary in complexity depending on its nature or on applicable operational requirements. Optionally, we provide the best possible support for you in this important phase - for example, as part of our Vulnerability Management Services.
Re-test and report adjustment
Optionally, you can verify the correct implementation of the corrective measures with a selective re-test. Especially if the Penetration Test is performed for compliance reasons (e.g., due to PCI DSS requirements), the re-test is a necessary part of the Penetration Test. You will receive the results of the re-test in the form of an updated comprehensive report. If all vulnerabilities have been eliminated and your Pentest meets the PCI DSS requirements, we will gladly issue you with our security certificate. This enables you to demonstrate to third parties that you take security seriously.
Pentests in the agile software development process
An increasing number of companies are using agile methods of software development for applications and apps. Consequently, the environment to be tested is constantly evolving. Implementing IT security effectively can thus quickly become a challenge. Before a major release, we recommend using a Pentest to check the security of the entire application - however, this is not practical in the agile software development cycle. In this case, an incremental security check using a Delta Pentest should be integrated into the DevSecOps workflow.
For example, we can only check the modified code for its security or a test environment for a specific vulnerability during the agile development process.
More Insights
How to Efficiently Manage the Results of Technical Security Analyses
Security Scan and Pentest: What are the Differences?
Next Level Reporting - Our test report makes Pentest results transparent
What You Should Consider When Ordering Pentests
Get started with planning your Pentest with these 4 questions
What are the Pentest analysis approaches?
Do you have any questions or need support?
Do you have any questions or need support?
Daniel Heyne, usd Team Lead Sales, Security Consultant Pentest, OSCP, OSCE