Skip to product information
1 of 1

Prove

Penetration Testing

Penetration Testing

Regular price $10,450.00 USD
Regular price Sale price $10,450.00 USD
Sale Sold out

A 5-day-long high intensity testing project with a clearly defined goal, fixed price, and 110% satisfaction guarantee.

Description

Our Penetration Testing service is a Testing Intensive, which is delivered in three distinct phases:

Phase 1: Intake

It all begins with a Mission Briefing initial workshop, which normally takes 1-2 hours. Mission Briefing clarifies your Testing Intensive's goal and turns it into an action plan.

Phase 2: Testing

This phase takes 5 days, usually from Monday to Friday. We test like TestGuru's do, present you the results with concrete action proposals so that you can continue to make your product even more impressive.

Phase 3: Follow-up

Testing results alone won't make your project any better. The actions that follow the results do. We will establish a plan aimed at correcting your quality pain points.

More information on Testing Intensives here.

Pricing

The price is fixed €9.450 EUR (VAT 0%).

All the needed tools, licenses, and devices are included in this price. No surprise fees guaranteed!

110% Satisfaction Guarantee

We are the best at everything we do. That's why our work comes with a full satisfaction guarantee. If for any reason you want your money back, we will refund +10% of the effort you put in and the lessons we learned!

The guarantee protects not only you but also us. It is not worthwhile for either side to cooperate if success is not likely!

Ask about penetration testing and we'll be in touch in the next 24 hours!

View full details
  • Prevent Data Breaches

    Prevent Data Breaches

    More than just a shield, penetration testing is a proactive line of defense, preempting potential data breaches. It safeguards your critical information, upholding trust and preserving your business reputation.

  • Reveal Vulnerabilities

    Reveal Vulnerabilities

    Act before attackers can exploit vulnerabilities. Penetration testing is akin to a comprehensive health check for your security systems. It uncovers hidden weak points, allowing you to rectify them before they can be exploited, keeping you one step ahead of cyber threats.

  • Enable Proactive Security

    Enable Proactive Security

    With penetration testing, you're not just reacting to threats, you're anticipating them. This proactive method identifies and reinforces your defense weak points, ensuring seamless operations and instilling confidence in your clients about their data's safety.

What is OWASP Top-10?

For web application security testing, Android security testing, iOS security testing and API security testing, Open Worldwide Application Security Project’s (OWASP) Top 10 listing of security threats is a good base and initial scope for the testing.

OWASP is a worldwide non-profit organization focused on improving security of web applications. The latest update of the list is from September 2021. The Top 10 list is a broad consensus about the most critical security risks to web applications by a community of over 30000 security experts around the world.

Collapsible content

OWASP A01: Broken Access Control

A user should have access only to the objects and actions that are permitted for that user. Access control can be related to information disclosure, modification or deleting of data, unauthorized file access or performing a function outside of the user’s limits.

OWASP A02: Cryptographic Failures

Data requires protection both in transit and in rest depending on the sensitiveness of the related data. Passwords, credit card numbers, health records, personal information and so on require extra protection especially when the data falls under privacy laws (e.g. GDPR).

OWASP A03: Injection

Hostile data from an untrusted source can end up to an interpreter, which executes the injected data. The interpreter can be for example a database (e.g. SQL injection), operating system (e.g. OS command injection) or user’s browser (Cross-site scripting).

OWASP A04: Insecure Design

The implementations that follow the design precisely are not unconditionally secure as the design may contain flaws. For example, business logic errors, bypassing client-side security and external control of file names and paths expose the system for different types of vulnerabilities.

OWASP A05: Security Misconfiguration

Security misconfigurations can be faced in many different aspects: for example, there are unnecessary features used, error handling reveals information about system’s internals, and application server, frameworks, libraries, databases etc. are not set to secure values. Although configurations cannot be reviewed directly in black-box testing, misconfigurations show up as security vulnerabilities.

OWASP A06: Vulnerable and Outdated Components

When a component’s name and version number is known, it’s known vulnerabilities can be searched from sites like https://cve.mitre.org/ and https://nvd.nist.gov/. These vulnerabilities are widely known and usually patched to the component’s newest version.

OWASP A07: Identification and Authentication Failures

Authentication-related attacks are usually related to confirmation of the user's identity, authentication and session management. Only users with correct credentials should have access to the system. For example, if authentication can be bypassed, external users can get information they are not allowed to access. Session management should always create a new authentication token whenever a user is logged in or logged out and the token should be automatically invalidated after timeout.

OWASP A08: Software and Data Integrity Failures

Applications, CD/CI pipeline and auto-updates should always have a trusted data source and have sufficient integrity verification. The data that is sent from an attacker is always untrusted and especially serialized data require some form of integrity check or digital signature to prevent insecure deserialization.

OWASP A09: Security Logging and Monitoring Failures

When a system is properly monitored and operations are logged, it is easier to detect suspicious actions. There should be logging in the application, logging should raise alerts, the alerts should be monitored and when suspicious activity is observed, there should be actions to handle the situation.

OWASP A10: Server-Side Request Forgery

The requests sent by the server should be controlled only by the server. When a web application has a feature to fetch a remote resource, for example an image, SSRF flaws may occur if the URL is not validated by the server. This allows an attacker to force the server to make requests to the addresses defined by the attacker.

Available Testing Intensives