You are here
Performing penetration tests
Why do you need penetration tests?
- You want to convince your customers and partners that your applications and solutions are secure
- You want to be prepared before an audit or a certification
- You need to ensure you are GDPR compliant
- Or maybe you simply want to verify the level of maturity of your company in terms of information security…
In each case, should you be a start‑up or a well established company, the ultimate question you want to answer is "Can an attacker find out and exploit an vulnerability in our application, that could compromise the security of our organisation?" This is what intrusion/penetration tests are all about.
Since hackers will not limit themselves to one attack channel, we target many components of your systems during our intrusion tests: the infrastructure, custom applications and packages, the business logic, even operational processes and human operators.
The key is the technical expertise
By combining the experience of our ethical hackers acquired through hundred of missions for more than 15 years, with professional automated tools and manual testing , we deliver highly effective results, even in proprietary environments like dedicated hardware, home‑made communication protocols, etc.
In our cyber‑lab, we even developed proprietary tools because no commercial one was providing the needed functionality. And, because our cyber‑security team englobes both ethical hackers and other technology specialists (like development frameworks experts, malware developers, infrastructure administrators), we can deliver the best contextualised recommendations and not only generic ones. We provide formal mission report to address audit requirements and also perform quick tests for start‑ups and SMB's.
Our deliverable is a clear report with actionnable recommendations
Like all security assessments we perform, the result is a detailed and contextualised report containing valuable recommendations to make attacks much harder (or impossible). These recommendations are rated, prioritised by criticality and cost, englobed in structural measures if possible, and formalised to be usable in compliance reports and customers’ communication. This is usually completed by a management summary section and a presentation.
Because intrusion test is not a cowboy job we do not destroy anything
Our Security Test approach is based on the principles of the Open Source Security Testing Methodology Manual but is pragmatically customised depending on each mission scope requirements and constraints. It also includes all key elements from the PTES & OWASP and integrates smoothly with the standard ISO/IEC 27008 (as recommended in ISO/IEC 27002‑18.2.3).
Formal Rules of Engagement, based on NIST Special Publication 800‑115, guarantee a minimal disturbance of the tested environment and a smooth incident handling in case of issues.
Some of the things we can test...
- Web based applications
- Wi‑Fi networks
- Security devices (firewalls, antivirus, WAF, …)
- Mobile applications
- Embedded devices & IoT
- Social engineering & Phishing
Usual penetration testing steps
- Scope definition
- Architecture discovery
- Services enumeration
- Vulnerability tests
- Attack scenario
- Lateral movement to attack other systems
- Reporting and recommendations
“Edenred takes privacy of its customers and employees very seriously. In Approach we found an ideal partner to help us assess our maturity level against the General Data Protection Regulation, establish and drive a roadmap with the objective to meet our compliance obligations.” Koen Reyniers, COO BENELUX EDENRED
Publications & events
Published on 13 April 2018
Replay of the RTL TVI show "Tout s'explique" dedicated to cybersecurity
During the interview, we had the opportunity to demonstrate, in a popularized way, how easy it is for a third-party application to...
Published on 04 April 2018
Rise of DDoS Amplification Attacks
Since the end of February 2018, we’ve seen a rise of DDoS Amplification attacks, with in some case more than 1Tbps of traffic generated. ...
Published on 21 March 2018
Data News Award Excellence 2018 - Approach nominations
Approach is nominated twice for the Data News Awards for Excellence 2018: Cyber-security Innovator & Scale-up Company. Why voting for...
Published on 26 February 2018
Can we really trust an antivirus when it comes to unknown threats?
Approach CSIRT Team reproduced a similar attack in its lab ...
Brussels Expo (2 days)
Approach at Infosecurity
Meet our experts to discuss about your cyber-security challenges and attend our session "the advent of mobile digital identity" at...