Pentest, audit and penetration testing

Penetration Testing

A penetration test, or pentest, is an audit which purpose is to check the security of a resource (IP subnet, website or web application, mobile application, internal network...) from an attacker point of view. It is the best way to concretly assert the efficiency of the protection measures that were put in place.

We evaluate the security of the perimeter that was defined with you folowing a methodological approach and a technical process specific to the tested assets, which takes inspiration notably from the PTES (Penetration Testing Execution Standard), as well as essential resources such as OWASP.

A clear and detailed audit report is written at the end of the engagement to list the security defects, but also mention positive aspectsas well as necessary corrective actions to fix or mitigate the potential vulnerabilities. The restitution of this report is a phone or visio call, or a meeting within your office, and is organized in two parts:

  • Managerial restitution: gives a high-level vision of the vulnerabilities identified, presents the risks and global improvements that can be made
  • Technical restitution: details the vulnerabilities, allows a technical exchange with your team around the remediation plan

We suggest you to check the list of our audit services in order to have more detailed information about our pentests.

audit-pentest

Our methodology

Before the penetration testing, we define the perimeter of the audit with you. It can be your company website, specific web applications, a group of devices, an IP range, physical buildings...

We also define the level of information that our auditors have at the beginning of the tests:

boite-noire

boite-grise

boite-blanche

On the day of the audit, we organize a launch meeting with your technical team, then after a last confirmation, we start the technical tests.

In a black box setting, our pentests typically start by a passive reconnaissance phase where we gather information about the target, without establishing any connection to it. Then follows a fingerprinting phase that starts by enumerating exposed services and ports.

For every service exposed, we search for known vulnerabilities, configuration vulnerabilities, and we also identify user entry points we could exploit to compromise the perimeter.

In a grey box setting, where we generally have one or more accounts to our disposal, we also check that the functionnalities and data are correctly compartmentalized (access controls), and that a lateral deplacement or a privilege escalation are not possible.

In a white box setting, we check the access controls of the admin account, but we also check that the privileges granted to this kind of account are not permissive enough to escape from the app and take control of the server.

If we have the source code at our disposal, we perform a brief source code audit from a security perspective, in order to discover more vulnerabilities.

We then sum up the main results of the audit during a brief phone call with your team, before finishing by writing the deliverables.

Advantages of Algosecure, pentest specialist in Lyon

Our quality methodological approach offers:

  • Quality understandable reports manually written
  • The complementary look of two engineers
  • A thorough manual analysis, necessary to complete the automatic approach
  • Clear and precise corrective actions
  • A presentation within your office allowing for exchanges with your technical team

ANSSI's security visa

We are PASSI qualified!

Since November 2020, we are Prestataire d'Audit de la Sécurité des Systèmes d'Information (PASSI). This French qualification, delivered by ANSSI, confirms our audit expertise as well as the care with which we ensure the confidentiality of our clients' data. This qualification also confirms our respect of the ISO 19011 audit procedure. We are qualified on pentests, configuration audits, architecture audits, as well as organisational and physical audits.

Frequently Asked Questions about pentests

Penetration testing aims to identify vulnerabilities that could give an attacker access to sensitive data or take control of an internal server. By identifying these vulnerabilities, it is possible to correct them before a malicious user can exploit them, thus avoiding any risk to the company's business.

Vulnerability scanning is a tool for highlighting various security flaws. As the results are surface-based, it is necessary to complete the vulnerability scan with a pentest web to evaluate the vulnerabilities (the association of these vulnerabilities, possible attack paths... ) and check their exploitability.

To find out more, see the article on the differences between a vulnerability scanner and a pentest.

The duration of a web pentest depends on several factors: in particular, the scope of the application, mainly determined by its size and the number of IPs or URLs supplied. On average, tests last from 6 to 14 days.

To guarantee a relevant estimate of the scope to be audited, our surveyors are involved in the pre-sales process and/or are consulted by our sales team.

We deploy two pentesters for several reasons. In penetration testing, the "human analysis" aspect is of paramount importance. These experts analyze vulnerabilities, the chains of vulnerabilities, and implement scenarios similar to a malicious attack.

By opting for a team of two pentesters, we guarantee our customers a high level of expertise and quality service. We promote the pooling of our experts' skills, encouraging the exchange of information, the verification of detected faults, and the sharing and pooling of their knowledge.

Other pages that might interest you :

Mobile application audits

We audit your Android and iOS mobile applications.

Internal networks (LAN) audits

We audit your internal network to show you what an attacker might have access to.

Red Team audit

We test the security of your building and your staff based on scenarios we conceive with you.

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.