This FAQ page is design for people who have never had a penetration test before and are not quite sure what a penetration test entails and how to prepare for it.
Reasons why clients request a penetration test service
- Compliance. You are an organisation processing credit card data and you have to be PCI DSS compliant.
- You want the integrity, availability and confidentiality of your user's data to be secure.
- You want to promote an image of security for your brand.
- You want to secure your IT assets from external attackers and protect your trade. Each breach will penalise you.
What should you test?
If this is the first time you do a penetration test, you are probably not sure how to approach the assessment. Codegrazer recommends to separate the assessment between internal and external infrastructure. The first one can cover all the IT assets that lie within your internal perimeter (e.g. Servers, Desktops, Router, Switches, Firewalls), the second one can cover all the IP addresses and web sites that are available to online users.
Make a list of your digital assets dividing them between internal and external infrastructure. During the scoping phase, CodeGrazer's consultant will use this information to suggest a number of days required to cover all security aspects of the test:
Internal Penetration Testing
- List of all the network ranges in your organisation. How many hosts are live on these networks? How many servers? How many Desktops and Laptops?
- Number of Firewalls. How many rules do each have? (Firewall Review)
- Number of WIFI networks. What type of encryption do they use WEP/WPA/CCMP?
- Number of Operating System Builds. Do you use a specific Operating System Image when you install new servers and desktops?
- Number of internal web applications. Do you have any web applications that are used internally? These tend to be more vulnerable that external facing ones.
- Is your organisation located in a single building? Is the consultant required to move between cities/countries?
External Web and Mobile Penetration Testing
- How many web applications do you own? Provide their Homepage URL and IP address.
- Are the applications static or do they present dynamic content? Static pages require far less testing than dynamic pages.
- Are the web applications hosted on servers you own or are you employing a hosting company? If you are employing a hosting company, you might need to ask for authorization to perform a penetration test.
- Do the web applications share exactly the same code (a site copy of a second site)?
- List of all IP addresses making up your external perimeter (not only web applications)?
- List of all mobile applications? What operating system are they running on (Android/iOS)?
- Is the mobile application available in the app store or google play?
- Does the application employ an API? Is there any documentation available to the consultant?
- How many user roles are available for each application (e.g. standard user, manager, admin)? In the best case scenario, we would need at least a test user for each category. Users should be given access to most if not all functionalities of the site so that Codegrazer can perform a thorough assessment.
- Can users of the application make payments? What kind of payment methods are supported? It would be best to have a card made available to the consultant for testing purposes.
You decide the scope for the assessment. The lists above are only suggestions of what you could test.
How do you define a number of days for the test?
Codegrazer will review the information that you provided. For internal infrastructure assessment we are confident we can give you an exact number of days depending on the number and type of assets you want to assess. In the case of external assessments, we will review the web applications you provided by:
- Navigating the sites.
- Checking how many pages your site is made of (spidering).
- Counting the number of dynamic pages and parameters.
- Counting the number of user types undergoing testing.
After this we will be able to give you an estimate of days required for the test. If you are happy with it, we can proceed signing a contract and start the test as soon as you give us the OK.
Before choosing Codegrazer I would like to see a template report and your methodology.
We are happy to provide both upon request.
Does Codegrazer provide a report after the test?
Yes, of course. We do more than that. We provide 2 reports. One in an extended, written format (PDF) and another one in a more concise format (Excel).
What to do after I receive the report from Codegrazer?
After you received the report, CodeGrazer will organise a conference call to go through the findings. This can be helpful to understand how secure your assets are and what you can do next. You can find this information in the report but it is always good to have a chat about it. Reports can be sometimes overwhelming. Afterwards you and your team will have to devise a plan to fix the vulnerabilities. CodeGrazer is always available if you have got any questions. You can email us or give us a call. When you have fixed the vulnerabilities, you might want to retest them. CodeGrazer offers free retests for web applications because we care about your security.
Is CodeGrazer covered by professional indemnity (This is generally required for UK based penetration tests)?
Yes, we are! We are happy to provide proof upon request or after initial contact.
How does CodeGrazer manage sensitive information gathered during the test like vulnerability details, exploits, passwords?
Our laptops have full disk encryption and data gathered during the test is also encrypted providing two layers of encryption.