Everything You Always Wanted to Know About Pentest (But Were Afraid to Ask)

What is pentest?

A penetration test, generally known as a pentest, is an authorized simulated cyberattack on a computer system performed to evaluate the system's security, as Wikipedia tells us. Simply put, you hire hackers to identify vulnerabilities and weaknesses in your system in controlled conditions that real hackers could use to cause damage. 

Why should you know about it? 

Though there are many reasons to conduct a pentest (from feeling unsafe to a lost bet), we name 3 main points that can make you consider a pentest:

1. Identifying vulnerabilities and weaknesses. Pentest is the easiest (except doing nothing and waiting for a cyberattack) way to find out the current security level of your system. This way, you can get a plan of what to do to improve your security.
2. Compliance Requirements. Many industries have compliance regulations that require regular security assessments, including penetration testing. These requirements can range from mild (for example, HIPAA’s) to severe (like PCI DSS requires).
3. Build Trust and Reputation. Demonstrating a commitment to security through pentesting can enhance trust and credibility with customers, partners, and stakeholders. It shows that you take security seriously and are proactive in safeguarding sensitive information.

What kinds of pentest do exist? 

The pentest can be divided into two criteria: the object of testing and the amount of information you provide to the pentesters.

By object, the following is usually distinguished:

1. Network and cloud infrastructure pentest
2. Mobile applications pentest
3. Web-applications pentest
4. API pentest
5. IoT pentest
6. Physical pentest
7. Pentest by social engineering methods

By system transparency for pentesters:

1. Black-box - the tester has little to no knowledge of the system and its configuration details. 
2. White-box - the pentester has exhausting information on the tested system, including source code.- this kind of pentest is the 
3. Grey-box - the compromise between the desire to conduct an exhaustive pentest with full coverage as in white box mode and the urge to understand the threat from a real external attacker like in black-box. Pentesters, in this case, are usually provided with technical documentation (API descriptions, list of services in the internal network, etc.)

What kind of suits you? 

It depends on two factors: the main objective (compliance requirements, current security level assessment, or any other mentioned above) and the attacker model. For example, you may assume that the most likely attacker is a fired developer - so you have to test all the applications in white-box mode to find possible backdoors. In another case, the network infrastructure can be supposed to be the most vulnerable part, and the external attacker is the main threat - so you have to consider external and internal pentest. If we are talking about applications (both web and mobile) or APIs - we usually recommend choosing grey-box mode as a combination of white-box and black- box testing. Don’t hesitate to consult your prospective pentest vendor about it - it is worth discussing. 

How much does it cost? 

Price varies greatly depending on the scope of work, pentest conditions, and vendor’s experts' qualifications. You can find offerings from several thousand US dollars (which usually means that the pentest will be made with automated tools only) to more than a hundred thousand US dollars (for manual checks of the big target system, made by numerous pentesters teams). Notice that almost every kind of testing can be done manually and with automated tools: the way of automatization is much faster and cheaper, but there are some sorts of vulnerabilities revealed by human beings only (for example,  business logic flaws, software architecture biases, and some others). In ONSEC.io, we use a holistic approach, combining both methods to achieve a synergistic effect.  

How to start? 

Define your objectives and basic technical information on your systems and connect with different pentesting vendors. 

What to expect from the pentest? 

As a result of the pentest, you will receive a report describing existing vulnerabilities, including severity scores for each one. 

Normally, the pentest report also includes recommendations for the remediation of vulnerabilities and general recommendations for increasing the system’s security level.

Based on this document - and with the consultancy of cybersecurity experts, which can be provided by your pentest vendor - you can plan measures to enhance the security of your company. 

Here, you can find an example of such a report made by ONSEC.io specialists.

If any clarifications are needed or if you want to conduct the pentest - feel free to contact ONSEC.io via email at request@onsec.io or set up a call in Calendly