PENETRATION TEST / PENTEST OR INTERNET SECURITY SCAN?

A1: Injection A2: Fehler in Authentifizierung und SessionManagement A3: Cross Site Scripting (XSS) A4: Unsichere direkte Objektreferenzen A5: Sicherheitsrelevante Fehlkonfiguration A6: Verlust der Vertraulichkeit sensibler Daten A7: Fehlerhafte Autorisierung auf Anwendungsebene A8: Cross Site Request Forgery (CSRF) A9: Verwendung von Komponenten mit bekannten Schwachstellen A10: Ungeprüfte Um- und Weiterleitungen

An Inter­net Secu­ri­ty Scan or Inter­net Pene­tra­ti­on Test (Pen­Test for short) should be car­ri­ed out regu­lar­ly in order to iden­ti­fy and eli­mi­na­te vul­nerabi­li­ties and poten­ti­al risks in a time­ly man­ner and thus mini­mi­ze the risk of a suc­cessful hacker attack.

The tests are offe­red in black­box and white­box ver­si­ons. Black­box means that no infor­ma­ti­on bey­ond the IP addres­ses or domains to be tes­ted is pro­vi­ded. With White­box, on the other hand, rele­vant infor­ma­ti­on about the rele­vant infra­struc­tu­re is made available befo­re the test beg­ins, and the­re is ongo­ing coor­di­na­ti­on with the cli­ent. This increa­ses the effi­ci­en­cy of the resour­ces used and the level of detail of the results.

BSI stan­dar­di­zed PenTest

The test is car­ri­ed out on the basis of the imple­men­ta­ti­on con­cept for pene­tra­ti­on tests of the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI). This ensu­res a struc­tu­red and metho­di­cal pro­ce­du­re with com­pre­hen­si­ble results.

Pha­se 1: Preparation
Defi­ni­ti­on of the IP address ran­ges or Inter­net domains to be tes­ted and the orga­niza­tio­nal frame­work con­di­ti­ons as well as the sel­ec­tion of the test­ing approach (white or black box).

Pha­se 2: gathe­ring information
Pro­cu­re­ment of all publicly available infor­ma­ti­on about the infra­struc­tu­re to be tes­ted. In the case of a white­box test, the infor­ma­ti­on pro­vi­ded by the cli­ent is also taken into account. Inter­net Secu­ri­ty Scan and Web Appli­ca­ti­on Secu­ri­ty Scan of aut­ho­ri­zed IP addres­ses and websites.

Pha­se 3: Eva­lua­ti­on of the infor­ma­ti­on / risk analysis
Ana­ly­sis and eva­lua­ti­on of the iden­ti­fied vul­nerabi­li­ties and risks. Iden­ti­fi­ca­ti­on of sys­tems and appli­ca­ti­ons whe­re poten­ti­al attack points have been iden­ti­fied (as a tar­get for pha­se 4).

The results of pha­se 3 are docu­men­ted in the form of a tech­ni­cal report and sub­mit­ted to the cli­ent (not for black box).

Pha­se 4: Acti­ve pene­tra­ti­on tests
Based on the tech­ni­cal report of pha­se 3, tar­ge­ted attempts are made to exploit the poten­ti­al vul­nerabi­li­ties (pene­tra­ti­on test) in order to gain unaut­ho­ri­zed access to data or systems.

Pha­se 5: Final analysis
During the final ana­ly­sis, the results of the test exe­cu­ti­on are eva­lua­ted with regard to poten­ti­al risks (low, medi­um, high) and con­cre­te recom­men­da­ti­ons are deve­lo­ped to miti­ga­te them.

PenTest - Penetration Test - Internet Security Scan - Vulnerability Scan - Security Scan

The results of the Pen­Test or Inter­net Secu­ri­ty Scan are docu­men­ted in the form of a test report con­sis­ting of a manage­ment sum­ma­ry and a detail­ed tech­ni­cal descrip­ti­on.

Enjoy the cer­tain­ty that you have actively taken important steps for your own IT security!

DATASHEET

YOUR ADVANTAGES

  • Detect vul­nerabi­li­ties in your IT befo­re they are exploited.

 

  • Opti­mal com­bi­na­ti­on of auto­ma­ted tests and manu­al pene­tra­ti­on tests by our IT secu­ri­ty specialists.

 

  • Risk assess­ment of the vul­nerabi­li­ties found

 

  • The final report includes a manage­ment report and detail­ed descrip­ti­ons of the iden­ti­fied vul­nerabi­li­ties as well as appro­pria­te recom­men­da­ti­ons for action.

You want fur­ther information?

Step 1: Which kind of test­ing area?