Put your defenses to the test with authentic attacks
Understanding Penetration Testing
What is Penetration Testing?
Penetration Testing (PT) is a security testing service provided by an independent third-party professional information security team to an organization. The team performs security attacks on the organization’s software and hardware, including websites, information systems and other equipment by imitating hacker’s mindset within the organization’s boundary agreed beforehand. The goal of this service is to locate underlying vulnerabilities and validate whether the organization’s data and equipment are secure against theft or destruction. Additionally, the overall architecture of information systems and hardware are also assessed for possible security improvement.
Why your organization needs DEVCORE’s penetration testing service?
Hacker attacks are pervasive and infectious, like real-life viruses. The threat is imminent and persistent. Penetration testing, on the other hand, is like a health examination. If the organizations can regularly perform in-depth information security health checks, their security architecture weaknesses could be minimized, and be granted with greater chance of survival facing various attacks in the future.
By choosing DEVCORE, you are choosing:
Real penetration testing experts who think like hackers
Our long-term participation in hacker communities help us thoroughly understand hacker's mindset and attack techniques. These knowledge are constantly updated and applied in our penetration testing service. We believe information security is an everlasting war. Sun Tzu said, "know yourself, and know your enemy better, then you may survive every battle." Only testers who know hackers well enough can provide most genuine penetration testing service.
Discover Your 0-Day Earlier than Hackers
We specialize in incorporating different exploits with every risk level and perspective to maximize the impacts of the attack, in order to discover the previously unknown attack vectors in your organization. As the discoverer of vulnerabilities in several world-famous vendors, we are more capable of finding 0-day exploits in your organization, ahead of the hackers.
Flexible Target-oriented Team Arrangement
Large organizations usually own various software and hardware targets including websites, apps, and networking hardware. They need an all-inclusive information security team with experts in every system, programming language and penetration testing capability to measure security risks of all aspects and levels in the organization.
Are There any Guidelines for Penetration Testing?
Our penetration testing service items consists of three major dimensions, network scan, vulnerability scan, and penetration test. These items meet the international standards as follows:
OWASP (Open Web Application Security Project)
OWASP Testing Guide Version 4
OSSTMM (Open Source Security Testing Methodology Manual)
Open Source Security Testing Methodology Manual Version 3
Penetration Testing Implementation Workflow
Confirm project requirements
- Call a project kick-off meeting to confirm customer requirements and implementation guidelines
- Sign the contract and obtain legal pentesting permissions
Performing Penetration Testing
- Target reconnaissance: gather public information regarding the penetrating target, for example, domain, IP address, account, etc
- Information leakage test: look for sensitive data or system message leakage
- Vulnerability scan: scan for known vulnerabilities existing on the targets
- Penetration testing: test for application vulnerability, website logic flaws, operating system vulnerability, password cracking, etc
- Privilege escalation and elevation: if the target server(s) were taken over successfully, attempt to gain server administrator privilege, or check whether the penetration can be expanded to other internal server(s)
PT report preparation
- Provide a detailed analysis of vulnerability entry points, risk levels, testing methods, and patch suggestions
- Deliver the PT result report
- Offer consulting for vulnerability remediating
Briefing and documentation delivery
- Briefing on project findings and deliver relevent documentation
Other Penetration Testing-related FAQ
What's the preparation for penetration testing?
DEVCORE will negotiate with the Consignor and conduct the testing basically during the Consignor's business hours, so that the Consignor is able to dispatch the developers to patch critical vulnerabilities in time. In addition, DEVCORE will also inform the consignor about the specific IP addresses used for testing, in order to distinguish them from other unauthorized sources and mitigate possible attacks at the same time.
What are the differences between penetration testing and vulnerability scan?
Vulnerability scan can be done with automated scanner software in a shorter time, which is relatively faster and cheaper. However, vulnerability scan can only detect already known vulnerabilities, rather than discovering latest security issues and providing patch suggestions. Penetration testing relies on experienced information security experts to do it manually. Throughout the testing process, different security loopholes will be combined into attack chains by the experts, and carry out persistent attacks to verify whether there's any method to break the website's defenses available.
How much time does it take to conduct a penetration testing?
Depending on the scale and complexity of the organization's systems, a single website takes about a month to go through the whole process, from preliminary test, remediation, to advanced test.
What are the differences between automated testing and manual testing?
Compared with automated testing, manual testing offers benefits including higher testing accuracy, greater depth of inspection, capability of distinguishing business logic flaws, etc.
Are social engineering and DDoS attacks included in the penetration testing process?
To prevent from disturbing the organization's regular operations, DEVCORE does not incorporate social engineering and DDoS attacks in the testing, unless specifically requested by the consignor.
Will other servers be affected during the penetration testing takes place?
Unless legally authorized, DEVCORE will NOT perform penetration testing on servers other than the agreed targets.
Is the information obtained during penetration testing process vulnerable to leakage or unauthorized disclosure?
Information security experts at DEVCORE operates with the highest standards of ethics and compliance, and will NOT disclose any information obtained during testing to any third-party individual or entity. Moreover, during the testing process, information will be exchanged with strong password encryption to ensure security and confidentiality.
Are you completely secure after penetration testing?
Hacker attacks are constantly evolving threats. Even a website kept unaltered without any minor modification can be intruded with new attack vectors in the future. Additionally, most business websites must develop new features. Therefore, we suggest organizations to regularly do penetration testing each year.
How often should an organization undergo the penetration testing?
According to Taiwan Financial Supervisory Commission, banking system websites should perform two penetration testing each year, and regular organization websites or networking services should perform penetration testing at least once annually.
Can I commision DEVCORE to perform testing on other organization's websites?
Penetration testing involves in accessing an organization's sensitive information and must be legally authorized beforehand. Therefore DEVCORE can only accept testing requests from the website's owner or organization.
Are there certain qualifications for vendors performing penetration testing?
Currently there are no rules or regulations governing such services and their providers. However, before purchasing a penetration testing service, we suggest you to make sure whether the vendor is capable of providing high quality services. Some checkpoints can be whether the vendor had discovered vulnerabilities in prominent software or networking services, or whether they had presented their information security techniques in major conferences. By knowing these, an organization can avoid recruiting a under-qualified vendor to perform penetration testing by only using automated software.