Pentesting (penetration testing) is a simulated attack exercise to identify security gaps in an application. For us, this includes reconnaissance to learn about an application, the use of a broad set of tools to identify specific types of security issues and always includes manual testing.
Manual testing is essential for assessing things like authorization bypass:
- A user in Role 1 should not be able to do some action reserved for Role 2
- User 1 should not be able to see data from User 2 who is in a different org
We typically scope penetration tests based on the technology, size of the application, the number of different roles and the type of data involved.
We typically deliver a written report in PDF format at the completion of a pentest and then hold a “readout” call to explain the findings and answer any questions. We work hard to provide real world context sensitive remediation advise for issues identified.
Pentesting is a very common type of security project, is mandated by various standards and is considered an essential process for most companies.
Reach out to firstname.lastname@example.org and we’d be happy to talk you through how this engagement works. Alternatively, reach out directly to Matt@ to get engaged.