Penetration Testing
Penetration Testing
A 5-day high-intensity testing project with a clearly defined goal, fixed price, and 110% satisfaction guarantee.
Description
Description
Our Penetration Testing service is a Testing Intensive, which is delivered in three distinct phases:
Phase 1: Intake
It all begins with a Mission Briefing initial workshop, which normally takes 1-2 hours. Mission Briefing clarifies your Testing Intensive's goal and turns it into an action plan.
Phase 2: Testing
This phase takes 5 days, usually from Monday to Friday. We test like TestGuru's do, present you the results with concrete action proposals so that you can continue to make your product even more impressive.
Phase 3: Follow-up
Testing results alone won't make your project any better. The actions that follow the results do. We will establish a plan aimed at correcting your quality pain points.
More information on Testing Intensives here.
Pricing
Pricing
The price is fixed €9.450 EUR (VAT 0%).
All the needed tools, licenses, and devices are included in this price. No surprise fees guaranteed!
110% Satisfaction Guarantee
110% Satisfaction Guarantee
We are the best at everything we do. That's why our work comes with a full satisfaction guarantee. If for any reason you want your money back, we will refund +10% of the effort you put in and the lessons we learned!
The guarantee protects not only you but also us. It is not worthwhile for either side to cooperate if success is not likely!
Ask about penetration testing and we'll be in touch in the next 24 hours!
The Benefits of Penetration Testing
Web application was the action vector in 80% of the incidents and in 60% of the data breaches making it the top one action vector in both breaches and incidents. (Verizon Data Breach Investigations Report 2023)
-
Prevent Data Breaches
More than just a shield, penetration testing is a proactive line of defense, preempting potential data breaches. It safeguards your critical information, upholding trust and preserving your business reputation.
-
Reveal Vulnerabilities
Act before attackers can exploit vulnerabilities. Penetration testing is akin to a comprehensive health check for your security systems. It uncovers hidden weak points, allowing you to rectify them before they can be exploited, keeping you one step ahead of cyber threats.
-
Enable Proactive Security
With penetration testing, you're not just reacting to threats, you're anticipating them. This proactive method identifies and reinforces your defense weak points, ensuring seamless operations and instilling confidence in your clients about their data's safety.
What is OWASP Top-10?
For web application security testing, Android security testing, iOS security testing and API security testing, Open Worldwide Application Security Project’s (OWASP) Top 10 listing of security threats is a good base and initial scope for the testing.
OWASP is a worldwide non-profit organization focused on improving security of web applications. The latest update of the list is from September 2021. The Top 10 list is a broad consensus about the most critical security risks to web applications by a community of over 30000 security experts around the world.
Collapsible content
OWASP A01: Broken Access Control
A user should have access only to the objects and actions that are permitted for that user. Access control can be related to information disclosure, modification or deleting of data, unauthorized file access or performing a function outside of the user’s limits.
OWASP A02: Cryptographic Failures
Data requires protection both in transit and in rest depending on the sensitiveness of the related data. Passwords, credit card numbers, health records, personal information and so on require extra protection especially when the data falls under privacy laws (e.g. GDPR).
OWASP A03: Injection
Hostile data from an untrusted source can end up to an interpreter, which executes the injected data. The interpreter can be for example a database (e.g. SQL injection), operating system (e.g. OS command injection) or user’s browser (Cross-site scripting).
OWASP A04: Insecure Design
The implementations that follow the design precisely are not unconditionally secure as the design may contain flaws. For example, business logic errors, bypassing client-side security and external control of file names and paths expose the system for different types of vulnerabilities.
OWASP A05: Security Misconfiguration
Security misconfigurations can be faced in many different aspects: for example, there are unnecessary features used, error handling reveals information about system’s internals, and application server, frameworks, libraries, databases etc. are not set to secure values. Although configurations cannot be reviewed directly in black-box testing, misconfigurations show up as security vulnerabilities.
OWASP A06: Vulnerable and Outdated Components
When a component’s name and version number is known, it’s known vulnerabilities can be searched from sites like https://cve.mitre.org/ and https://nvd.nist.gov/. These vulnerabilities are widely known and usually patched to the component’s newest version.
OWASP A07: Identification and Authentication Failures
Authentication-related attacks are usually related to confirmation of the user's identity, authentication and session management. Only users with correct credentials should have access to the system. For example, if authentication can be bypassed, external users can get information they are not allowed to access. Session management should always create a new authentication token whenever a user is logged in or logged out and the token should be automatically invalidated after timeout.
OWASP A08: Software and Data Integrity Failures
Applications, CD/CI pipeline and auto-updates should always have a trusted data source and have sufficient integrity verification. The data that is sent from an attacker is always untrusted and especially serialized data require some form of integrity check or digital signature to prevent insecure deserialization.
OWASP A09: Security Logging and Monitoring Failures
When a system is properly monitored and operations are logged, it is easier to detect suspicious actions. There should be logging in the application, logging should raise alerts, the alerts should be monitored and when suspicious activity is observed, there should be actions to handle the situation.
OWASP A10: Server-Side Request Forgery
The requests sent by the server should be controlled only by the server. When a web application has a feature to fetch a remote resource, for example an image, SSRF flaws may occur if the URL is not validated by the server. This allows an attacker to force the server to make requests to the addresses defined by the attacker.
We Host a Free Security Webinar Every Wednesday at 9:00
"How we execute application penetration testing in 5 days based on OWASP Top-10 security threats."
Available Testing Intensives
-
Performance Testing
Regular price €9.450,00 EURRegular priceUnit price / per -
Penetration Testing
Regular price €9.450,00 EURRegular priceUnit price / per -
QA Strategy
Regular price €14.900,00 EURRegular priceUnit price / per -
Mobile Testing
Regular price €7.900,00 EURRegular priceUnit price / per