Penetration tests check the effectiveness of a client's security policies by launching a mock attack in the way that a hacker would do in order to see if it is possible to access the network. Tests vary in terms of intensity, from merely an overview of the security environment up to a full hacking attempt. DSS penetration tests are able to reveal:
Only a real penetration test can simulate the effect that a determined hacker would have in the event that he attacked into an organization.
When conducting Black Box testing, DSS does not test the business logic of the web application or give thought to how vulnerabilities may impact the system's users. Black Box testing is useful, however, for identifying the OWASP top ten vulnerabilities. Tests are conducted against the external application and a blind test is assured because DSS does not use credentials to test the application.
A penetration test is conducted without providing the client's source of information on the composition and state of the object. The contractor selects the format for the test, closely mimicking the actions of a real hacker.
The testing process may be coordinated, with partial disclosure of the test object to the customer (software, hardware, network performance, and data concerning key personnel).
whereby the system is audited from within the organization. Depending on the size of the organization and the IP address ranges, among other matters, the test typically takes a team of two employees between seven and twelve business days. The client's offices are visited each day, sniffing and penetration testing the system; giving the testers the same access that regular employees of the firm have. If asked to do so, the testers can attempt to gain access to the company's financial department or other resources, as specified.
Externalthe company's infrastructure and/or web application is appraised in order to mimic a former employee attempting to gain access. The former employee could be presumed to have prior knowledge of the application and the organization's resources. The testers will learn the application, study software documentation and meet with developers in order to maximize the effectiveness of the test.
With more than ten years experience of testing client's Web Application Security (WAS), DSS has developed a detailed and structured methodology based on OWASP when carrying out WAS assessments. By getting into the mindset of a hacker, DSS sets out to exploit vulnerabilities and mis-configurations in the application. This is the optimal way in which to conduct web application testing.
The company is currently developing a system to combat international cyber crime, which will equip the law enforcement authorities in any jurisdiction to effectively tackle the problem of computer-based malfeasance. Crucially, the technology assists at the most problematic stages of the criminal investigation, including the assemblage of evidence, DDoS protection and web auditing.