What is penetration testing?

• The methodology and delivery of penetration testing depends on the type and nature of software or applications.
• In most cases Penetration Testing is done according to OWASP ASVS (Application Security Verification Standard) using OWASP Web Security Testing Guide. The Application Security Verification Standard is a list of application security requirements or tests that are used to perform the penetration test.
• The outcome of the engagement consists of a detailed report of the findings and vulnerabilities discovered during the penetration testing activities and a post-engagement briefing to the company’s personnel for elaborating the findings and providing recommendations to remediate.

What needs to be agreed before penetration testing?

The three most common types of testing are:

• Black-box method– penetration tester has almost no knowledge about the application and data flows.
• Grey-box method– penetration tester has partial knowledge about the application and data flows.
• White-box method– penetration tester has full information about application and data flows.

The Application Security Verification Standard defines three security verification levels, with each level increasing in depth.

• ASVS Level 1 – is for low assurance levels and is completely penetration testable.
• ASVS Level 2 – is for applications that contain sensitive data, which requires protection and is the recommended level for most apps.
• ASVS Level 3 – is for the most critical applications – applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust.

Penetration method and level should be agreed upon between CYBERS and the Customer prior to the actual engagement.  

Agreement conditions are defined in the Statement of Work, which consists of the following details:

• Goal and scope description
• Testing level and method
• Timeline of the engagement
• Agreed rules

What happens durning the penetration testing?

Through penetration testing, we imitate the attack of cybercriminals to check the security measures of applications, systems, infrastructure and services. The purpose of penetration testing is to detect vulnerabilities and minimize signals from a planned cyber attack to ensure the performance of business-critical services.

At the end of the service, we will provide a detailed report on the findings and weaknesses and explain them during the meeting. We will also prepare a memo on these explanations and clarifications and provide recommendations for further actions to address the identified weaknesses and minimize the risks.

Testing usually lasts from 2 to 4 weeks, depending on the scope of the engagement and the complexity of systems.

In the first stage, the testing scope is agreed, ie what is tested in more detail and what is excluded from the test. The initial planned workload is also agreed upon, and depending on the nature of the test, the goals of the penetration test towards which the testers will work. An overall approach and a team of project participants who are aware of the test are agreed. Each test is unique in nature because each application and organization is different.

What happens after testing?

The purpose of the post-engagement stage is to provide the Customer with a through report of findings revealed durning the previous stage, illustrating the outcome of the exercise and carried out activities. Report will contain finding remediations. On Customer’s request, CYBERS will conduct a briefing of findings to the Customer’s personnel, such as executives, management, technical staff and other required stakeholders.

Report will be in English, unless stated otherwise in Statement of Work.
Final report will be provided within 1 week(s) after the work is completed.

What are penetration testing benefits?

• Gather valuable insight about the weaknesses and strengths of the system or the application.
• Address vulnerabilities throughout the development lifecycle in a timely fashion.
• Avoid sensitive data leakage and system or application being compromise by cybercriminals.
• Receive a thorough report with a summary of vulnerabilities for executives and managers.
• Receive a detailed report about findings, including remediation guidance and recommendations.