The penetration test aims to identify the greatest number of vulnerabilities existing on the infrastructures and systems being analyzed. We act beneath the surface, not limiting ourselves to scanning known vulnerabilities, but verifying criticalities that cannot be detected through automatic scans. This is an Ethical Hacking activity, where a real cyber attack is simulated, testing all the systems in the defined perimeter.
Implementing a penetration test requires coordinated and transversal action: each functionality, device or endpoint that is part of the test perimeter is manually analyzed in detail in search of vulnerabilities. The experience and ability of the pen test team allow you to obtain results that are unattainable using the tools available on the market.
Our team of experts performs penetration testing in compliance with the OWASP standards (The Open Web Application Security Project), an open-source project that has standardized the guidelines, tools and methodologies needed to improve application security. The OWASP standards represent a point of reference in the world of information security, with effective procedures for identifying, evaluating and categorizing vulnerabilities.
Once the tests are completed, a score is given associated with the risk of cyber attacks. The risk is calculated using the CVSS (Common Vulnerability Scoring System). The risk associated with a vulnerability is calculated based on the impact it would have if it were exploited by an attacker, also taking into account the difficulty required to exploit it.
There are three ways to perform this type of test:
As the name implies, in this methodology one has no knowledge of the target system and simulates an actual external attack. It is intended to identify what the real chances are for an attacker to breach the target in question. In this case, the developer does not share any details with our team regarding the components on the perimeter.
Because a lot of time is required for profiling and information gathering, this mode is recommended when there is a concrete doubt about security, but the source cannot be identified and the time window is sufficiently large.
A middle ground between Black Box and White Box. In this case one has partial knowledge of the target audience and the technologies involved. One may know in more or less detail the features to be tested, the technologies involved, and the access credentials. Grey Box mode is the most common one because it gives a good result by reducing the time frame compared to a Black Box test.
Exactly the opposite of the Black Box mode, in the White Box the developer shares all the detailed documentation of the platform and functionality to be tested, along with examples of use cases, source code and other useful information to have a complete understanding of the infrastructure.
This mode is recommended for the initial, thus developmental, stages of a new application, with the aim of fine-tuning an efficient security system from the outset or following a grey/black box analysis.
Book a call with our team and request a consultation tailored to your business.
Book a call
Co-Founder e Co-CEO
Penetration tests are differentiated according to the type of system targeted by the analysis. Soter's team specializes in implementing different types of tests according to business needs.
To test the security of a web application (site or application API).
Find out more
To assess the security level of a network and the perimeter exposed to the Internet.
Find out more
To investigate the security of iOS or Android applications and, usually, their APIs.
Find out more
To establish the security of wireless networks provided by the company.
Find out more
To test the security and possible vulnerabilities of one or more IoT devices.
Find out moreIn this initial phase, the Soter team supports the customer in defining which service to choose and the scope of the intervention, taking into account the needs and the objective to be achieved.
After careful evaluation, an estimate of days needed to carry out the test and write the report is proposed. The price for the activity will be provided together with the estimate of days.
Once the proposal is accepted, the start date is set. Then further details are provided, such as the IP address of origin and all the information useful for running the test, such as any credentials and/or limitations of the test.
The penetration test then begins on the agreed date. If requested, the daily tests will be preceded by a formal email to start the activity and an email to end the activity. The vulnerabilities considered critical will be communicated before receiving the final report, in order to facilitate an immediate fix.
The report that will be delivered contains detailed descriptions of the vulnerabilities so that they can be easily reproduced by the technical department, accompanied by useful suggestions for solving the problems identified.
Relying on professionals for your company's IT security is essential: our team boasts many years of experience in performing penetration tests. Our specialization is supported by numerous certifications recognized at company level. Talk to one of our experts, find out which solution is right for you and let's evaluate your situation together.
Do you want to prevent cyber attacks in your company and guarantee a protected infrastructure for your customers? Contact us to evaluate the security of your business's IT systems.
