Penetration tests are a powerful and useful way to evaluate vulnerabilities in your networks or systems.
Secure Coding’s aim is to simulate [with your permission – making the pentest ethical] a series of attacks that are currently known and used by hackers. We also apply our pentesting experience and imagination to come up with new attacks and zero day attacks that could be used against your business to gain commercial advantage over your business.
Secure Coding certified consultants can perform a variety of penetration tests. Each penetration testing will be led and managed by a senior consultant using a proven testing methodology to ensure comprehensive reproducible coverage.
During the reconnaisance phase our certified penetration testers will scan your systems to identify services and interconnections between systems in order to determine likely weakenesses.
- We confirm any automated test findings using manual verification – this adds that extra layer of specialised human expertise and deep analysis — in other words, we use the very same methodology that cyber-criminals use to enter or find weaknesses such as business’s bank account passwords, SQL injection etc.
Penetration tests – How often should you perform it?
Penetration testing or pentest assessment, should be performed as often as possible as changes are often made to your systems, if you want to play it safe, or at the very least annually. Regular pen testing provides assurance within the team and to senior management.
In addition to regular analysis and assessments (which are required under some regulatory regimes) pen tests should also be part of your operational risk management planning.
For instance whenever you:
- Add or modify Web applications, update software or change the network infrastructure
- Apply security patches – some (rushed?) patches introduce vulnerabilities
- Move to new hosting provider/ISP/premises
- Need to upgrade system infrastructure or internal applications
- Amend or update end user policies.
Penetration testing and PCI DSS
To be PCI DSS compliant you must perform regular penetration testing.
As shown in requirement 11.3 of the PCI DSS standard – “System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.”
PCI DSS testing requirements:
- Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)
- Perform a pentest that includes coverage for the entire Card holder Data Environment (CDE) perimeter and critical systems. Includes testing from both inside and outside the network. Includes testing to validate any segmentation and scope-reduction controls. Defines application layer penetration tests to include, at a minimum, the vulnerabilities listed in OWASP top 10. Defines network layer penetration tests to include components that support network functions as well as operating systems. Includes review and consideration of threats and vulnerabilities experienced in the last 12 months.