A penetration test, or pentest, is an audit which purpose is to check the security of a resource (IP subnet, website or web application, mobile application, internal network...) from an attacker point of view. It is the best way to concretly assert the efficiency of the protection measures that were put in place.
We evaluate the security of the perimeter that was defined with you folowing a methodological approach and a technical process specific to the tested assets, which takes inspiration notably from the PTES (Penetration Testing Execution Standard), as well as essential resources such as OWASP.
A clear and detailed audit report is written at the end of the engagement to list the security defects, but also mention positive aspectsas well as necessary corrective actions to fix or mitigate the potential vulnerabilities. The restitution of this report is a phone or visio call, or a meeting within your office, and is organized in two parts:
We suggest you to check the list of our audit services in order to have more detailed information about our pentests.
Before the penetration testing, we define the perimeter of the audit with you. It can be your company website, specific web applications, a group of devices, an IP range, physical buildings...
We also define the level of information that our auditors have at the beginning of the tests:
On the day of the audit, we organize a launch meeting with your technical team, then after a last confirmation, we start the technical tests.
In a black box setting, our pentests typically start by a passive reconnaissance phase where we gather information about the target, without establishing any connection to it. Then follows a fingerprinting phase that starts by enumerating exposed services and ports.
For every service exposed, we search for known vulnerabilities, configuration vulnerabilities, and we also identify user entry points we could exploit to compromise the perimeter.
In a grey box setting, where we generally have one or more accounts to our disposal, we also check that the functionnalities and data are correctly compartmentalized (access controls), and that a lateral deplacement or a privilege escalation are not possible.
In a white box setting, we check the access controls of the admin account, but we also check that the privileges granted to this kind of account are not permissive enough to escape from the app and take control of the server.
If we have the source code at our disposal, we perform a brief source code audit from a security perspective, in order to discover more vulnerabilities.
We then sum up the main results of the audit during a brief phone call with your team, before finishing by writing the deliverables.
Our quality methodological approach offers:
Since November 2020, we are Prestataire d'Audit de la Sécurité des Systèmes d'Information (PASSI). This French qualification, delivered by ANSSI, confirms our audit expertise as well as the care with which we ensure the confidentiality of our clients' data. This qualification also confirms our respect of the ISO 19011 audit procedure. We are qualified on pentests, configuration audits, architecture audits, as well as organisational and physical audits.
Penetration testing aims to identify vulnerabilities that could give an attacker access to sensitive data or take control of an internal server. By identifying these vulnerabilities, it is possible to correct them before a malicious user can exploit them, thus avoiding any risk to the company's business.
Vulnerability scanning is a tool for highlighting various security flaws. As the results are surface-based, it is necessary to complete the vulnerability scan with a pentest web to evaluate the vulnerabilities (the association of these vulnerabilities, possible attack paths... ) and check their exploitability.
To find out more, see the article on the differences between a vulnerability scanner and a pentest.
The duration of a web pentest depends on several factors: in particular, the scope of the application, mainly determined by its size and the number of IPs or URLs supplied. On average, tests last from 6 to 14 days.
To guarantee a relevant estimate of the scope to be audited, our surveyors are involved in the pre-sales process and/or are consulted by our sales team.
We deploy two pentesters for several reasons. In penetration testing, the "human analysis" aspect is of paramount importance. These experts analyze vulnerabilities, the chains of vulnerabilities, and implement scenarios similar to a malicious attack.
By opting for a team of two pentesters, we guarantee our customers a high level of expertise and quality service. We promote the pooling of our experts' skills, encouraging the exchange of information, the verification of detected faults, and the sharing and pooling of their knowledge.
Specialists in information security and pentest in Lyon, Paris, Saint-Etienne and throughout France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.