Who needs penetration testing?
Nowadays, penetration testing is a standard measure in information security management. Whether it’s based on contractual, legal or regulatory requirements or purely for self-protection purposes, penetration testing gives you valuable information on whether your adopted protection is working as it should.
From a formal viewpoint, penetration testing is usually carried out in the form of ‘effectiveness checks’. It is used to test existing security measures from the attacker’s perspective. Attackers often think in a completely different way to administrators or security architects and frequently find implementation gaps in intrinsically well-designed intrusion prevention systems.
Penetration testing is never carried out against your own team. It’s more like a type of sparring that helps with constant improvement.
There are countless direct or indirect regulatory, legal or contractual provisions that suggest or require security testing against infrastructures or applications. Whether clients will only accept tested software or systems, or the management team wants to reduce the company’s risk and exclude personal liability.
We were one of the first providers to offer penetration testing back in 1998. Since then, we’ve conducted almost 2,000 such tests against almost every conceivable system, application or product in almost every industry. Our clients rely on our expertise – from Office IT to industrial plants, healthcare facilities or banking and financial systems (including large payment systems such as SWIFT and TARGET II in the central banking environment).
Types of penetration test
We’ll happily check the likes of the following for you:
- External and internal IT infrastructures or infrastructure components from an external or internal attacker’s perspective (‘intern scenario’)
- Web and other applications – from shops and B2B to online banking systems
- WLAN/WiFi installations
- The implementation of remote access systems, e.g. based on RDP, Citrix or SSL VPNs, incl. the security of home and remote offices
- Mobile applications for Android or iOS
- REST/SOAP or other APIs, interfaces and protocols
- Control systems and industrial plants
- We examine your application’s source code for security-related aspects
- Product suites like SAP, incl. SAP Basis and Customizing interfaces
- PCI DSS or PA DSS-based tests
- Social engineering attacks such as phishing, spear phishing, circumvention of access controls and physical security measures
We audit your on-premises systems or your systems from cloud providers including Microsoft Azure, Amazon AWS or the Google Cloud Platform. We naturally also consider cloud-specific features such as Azure and AWS.
For very large infrastructures, we offer tests based on the XM Cyber breach and attack simulation software that performs automated, passive tests within the real infrastructure and can thus detect important gateways and attack paths across the board.
We also perform scenario-based testing (‘Red Teaming’), which is usually about ‘what if’ attacker scenarios that are mostly based on real-world techniques (ATP) and are broader than classic tests.
If intrusion prevention teams or SIEM systems are available, we also offer ‘Purple Team’ projects. Here, the ‘attackers’ openly cooperate with the ‘defenders’ (or administrators) to find out whether the attack detection systems are also consistent with the actual hacking techniques and approaches. This often goes hand in hand with a dramatic increase in the effectiveness of detection systems.
We also offer testing in accordance with the German TIBER standard for banks and financial service providers that has since been adopted by the German Federal Financial Supervisory Authority and the Deutsche Bundesbank. TIBER stands for ‘Threat Intelligence-based Ethical Red Teaming’.