Penetration testing
Penetration tests are the cornerstone of IT security and should be conducted continuously - for example, when there are changes in the code. Regular penetration tests of relevant assets, such as web applications, APIs, mobile apps, or general services, foster trust in your IT security.
What is a Penetration Test?
A "pentest", short for "penetration test", is a type of security test that aims to identify vulnerabilities in a computer system, network or application by simulating an attack by a malicious actor.
During a pentest, an experienced security professional (also called a "penetration tester" or
"ethical hacker") will use various techniques and tools to attempt to exploit vulnerabilities in the
system or application to gain unauthorized access, steal data or compromise security otherwise
compromise the system. The tester might also attempt to escalate their privileges or move laterally
on the network to gain access to additional systems.
The goal of a pentest is to identify security vulnerabilities before they can be exploited by real
attackers and provide recommendations to improve system security. Pentests can help organizations
identify weaknesses in their security posture and prioritize resources to address the most critical
issues first.
Types of Penetration Tests
The broad types of penetration testing can be divided into black box, gray box and white box categories. In addition, you are increasingly seeing terms such as “mobile penetration test” or “API pentest” - these usually only contain statements about the target system, but not how the specific procedure is carried out.
Blackbox Pentest
A black box penetration test is usually a realistic way in which a company is attacked today. The attacker starts with no information and has to acquire it. For this purpose, various phases are passed through, which ultimately enable the attacker to carry out a successful cyberattack on the target. This approach is based heavily on military approaches, in which a lot of time is invested in reconnaissance and information gathering before the actual attack. Various sources can be used here. As a rule, the attacker has no internal information here.
Depending on the type of order, an information gathering phase is often not really necessary because, for example, the so-called scope is a specific application and the tester's job is to look for security gaps from the outside.
Greybox-Pentest
Penetration tests that follow the gray box approach are often similar to the classic black box pen test. Here, however, the tester has the opportunity to obtain certain information. For example, he is granted part of source code, documentation, API schema, access data to accounts with few rights. There is often close collaboration with the customer, who provides further information depending on the situation.
Here, too, the goal is to concentrate on what is actually important: finding relevant security gaps in the system being tested, without losing time in the reconnaissance phase. Typically, this approach has the best cost-benefit ratio.
Whitebox-Pentest
In a white box pen test, all information is made available to the testers. This allows the tester to get a comprehensive picture of the system being tested, it is clear how it communicates with other systems and, thanks to the source code that is usually available, even complex security gaps can be found. It is to be expected that the results here will be particularly good. The disadvantage, however, is that the white box test can often be very lengthy and therefore expensive.
Pentest: Blackbox vs Greybox vs Whitebox
| Blackbox | Greybox | Whitebox | |
|---|---|---|---|
| Goals | Simulation of a realistic external attack and identification of external vulnerabilities. | Simulation of a partially informed attack and identification of vulnerabilities with limited knowledge. | Comprehensive analysis of the system and identification of internal and external and external weaknesses. |
| Initial situation | No prior knowledge and no access to internal resources | Limited prior knowledge and access to internal resources | Full access to all resources and source codes |
| Advantages | Realistic simulation of a cyberattack No internal influence |
Combines elements of black and white box tests More efficient identification of vulnerabilities |
In-depth analysis possible Identification of vulnerabilities in source codes and configurations |
| Disadvantages | Potential overlooking of internal & more complex vulnerabilities. | Possibly not as profound as a whitebox test. | Requires a lot of time and only simulates realistic attack scenarios to a limited extent. |
| Time effort | Low | Medium | High |
Why are penetration tests so important and indispensable?
Penetration testing is necessary to identify security vulnerabilities in a system, network or
application and help organizations improve their overall security posture. By identifying
vulnerabilities and offering remediation recommendations, organizations can reduce the risk of a
successful cyberattack and protect their sensitive data, systems and reputation.
Although more and more providers are trying to revolutionize the market with "automated
penetration tests", it is almost impossible to replace the creativity of a human.
The results of a penetration test can vary depending on the scope of the test and the organization's specific goals. However, here are some common results that can be expected from a penetration test:
- Identifying Vulnerabilities: A penetration test can identify vulnerabilities in a system that could be exploited by an attacker. This includes software bugs, configuration weaknesses and other security vulnerabilities.
- Risk assessment: A penetration test can help organizations assess the risk associated with various vulnerabilities and prioritize which ones should be addressed first.
- Remediation Recommendations: A penetration test can provide recommendations to remediate identified vulnerabilities and improve the security posture of the system.
Activities
Aviation industry
As an external Red Team, we were allowed to attack one of the largest aviation companies.
Universities
At a British research institute we found external and internal threats.
Car manufacturers
We found dozens of security gaps for a German manufacturer.
IT companies
We were able to detect a large PII leak in a Brazilian company.
Insurance companies
We regularly assess the external IT security of potential policyholders.
Robotics
At regular intervals we carry out penetration tests against a well-known robotics application.
Railway companies
We were allowed to analyze the entire infrastructure of a foreign railway company.
SaaS providers
SaaS providers are classic customers - the complexity of these applications makes regular pen tests necessary.
Gaming
Gaming portals are also part of our customer portfolio.
Process of a penetration test
In a kickoff meeting, important things are discussed with responsible people. It will be clarified what and how will be tested. All things that may have already been discussed before are confirmed and critically questioned (application functions, roles/rights, test environments, no-gos, technology, ...). Together with the customer, we lay a foundation that allows us to successfully carry out the penetration test. The customer's individual wishes are also taken into account (communication during the test, test times, VPN, ...).
We get to work. As a team, we look for security gaps and problems within the defined scope. If it's a classic black box pen test against a web application, for example, we use tools such as Nmap or Burp Suite. In the first phase we try to understand the target and its regular function. We then go through each function in a structured manner and look for security gaps, incorrect configurations and general technical problems. The exact procedure, the level of automation and the selection of tools depend in detail on the specific order. Customers often require not only a very focused technical penetration test, but also a certain red teaming component. In such a case, we use OSINT, threat intelligence and others to compromise the target application in other ways if necessary (e.g. access to source code or access data through leaks on the Internet).
We usually create a detailed report as a PDF. The report includes a summary for the management as well as the technical part. The latter describes the scope, methodology and all findings. We ensure that the customer's technical staff can reproduce our findings. It has proven useful for us to point out current problems of a general nature within the report - this way we can quickly see whether a function could become a problem in the future and what the developers would have to do to prevent this. We want to help the customer proactively. The technically responsible person receives the report at an agreed date - usually via a secure channel.
In a final discussion, we clarify the customer's questions, explain our findings and ensure that the customer has really understood the impact. Each final interview is very individual and is planned accordingly.
Optionally, we offer to check the developers’ fixes. Here we not only re-execute our initially provided payloads, but also consider potential bypasses that the developers may not have had on their radar. In this way, the applications can be strengthened again.
Unfortunately, many of our customers do not want to be named. Unfortunately, showing concrete
results or reports is also often undesirable or not permitted via NDA - which is more than
understandable. In order to be able to prove to you as a potential customer that we know what we are
doing and are successful at it, almost all of our employees are heavily involved in the area of bug
bounty hunting. We search for, find and report complex critical security gaps to companies such as
PayPal, Tesla or Apple. We recommend searching for the names on the Internet. You will find various
public reports on platforms such as HackerOne or BugCrowd but also on "Thank you" pages from Apple,
SAP or Microsoft.
We are also happy to arrange personal contacts with customers.
Complementary services
Continuous monitoring
Our platform "Argos" is able to monitor your entire external infrastructure non-stop - so you and we can quickly identify potential problems. The platform looks for and reports anomalies to us.
Red Teaming
Red teaming combines all IT security disciplines to achieve a defined goal. If you are confident that your infrastructure and applications are secure, red teaming is a solid tool to ensure they stay that way.
Darknet Intelligence
Too often we are part of highly complex technical penetration tests, but these do not prevent employee data from being leaked on the Internet for the portal being tested. As a customer you should know about it!
What clients say about us
„I've been really impressed with DSecured. The results they delivered exceeded our expectations. They found a wide range of IT problems and severe vulnerabilities and always communicated clearly. Working with them has been straightforward and reassuring.“
Feda Mecan
„The security of our customers’ data is our top priority. Thanks to DSecured, we were able to improve the resilience of our systems and realize how important the topic of "Shadow IT" is. The commitment of the team and their skills made the crucial difference for us.“
Red Team Lead
„DSecured was able to discover a surprising number of previously undetected security gaps in our infrastructure. The Argos platform as well as classic penetration tests were used for this. We really appreciated the honest advice on the subject of IT security and automation and would like to thank Mr. Strobel for this.“
Board
„Mr. Strobel and his team regularly carry out penetration tests against our automation platform - and always find what they are looking for. The results are presented clearly and reproducibly. Communication has so far taken place via short channels, for example via Slack. We can definitely recommend DSecured.“
