Pen Testing Blog Banner at ALLOWLIST

PEN TESTING

Pen Testing Frequently Asked Questions (FAQ)

Is there a list of trusted, rated and reviewed penetration testing companies?

Yes. Companies that are LISTED on ALLOWLIST have been due diligence checked for limited company status and for insurances at the time of check. Any quoted certifications or qualifications have been checked and verified at the time of check. Each company has the potential to be rated by customers on a 5 star rating system and reviews left on the experiences with the company. Whilst no guarantees can be made and your own due diligence should be under taken there is first pass assurance in place. The top 10 list of trusted pen testing suppliers can be found here.

What does penetration testing mean?

penetration test, colloquially known as a pen testpentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. Not to be confused with a vulnerability assessment.[3] The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data as well as strengths, enabling a full risk assessment to be completed. – source Wikipedia.

Why do we need pen testing?

If you really want to make sure you’re secure, then a penetration test is the right step for your organisation. It is often a requirement of information security related standards such as PCI-DSS, ISO 27001, ISO 22301, BSI 10008, SOC2 – read more.

How often should you do a penetration test?

A penetration test should be conducted on a regular basis and at least once a year and after any significant change. It is advisable to move to a system of continual monitoring to supplement the more in depth penetration testing as point in time penetration test will not protect against zero day vulnerabilities and the changes to threats that can occur between tests.

How long does a penetration test take?

Penetration tests take between 1 to 3 weeks. They are dependant on the type of pen test conducted and the complexity of the environment.

What are the types of penetration testing?

There are many types of test that can be classed as penetration testing based on a professional ethical company undergoing the actions that a malicious attacker would undertake. Testing of the public facing internet facing services is the most common, followed by the tester being provided internal credentials and testing what someone inside the network could do. Penetration testing is based on need and we see vulnerability assessment classed under pen testing as well as Network Penetration Testing, Web Application Penetration Testing, API Penetration Testing, Source Code Security Review, Mobile Application Penetration Testing, Wireless Penetration Testing, Network Device Configuration Review, Physical Security Assessment and Phishing testing. The list is not exhaustive.

How does a penetration test work?

An ethical hacking company with appropriate credentials will be engaged. The company will provide adequate insurance and assurances including liability against the test. Depending on the type of test the company will either be provided with log on credentials or not. The majority of testing occurs against a live environment. This presents a level of risk to the production service but a professional company is experienced and will take every step to not disrupt production service in any way. The findings from the penetration test will be issued along with the priority of those findings. A report out meeting will be held where the results are presented and discussed. It is possible that results are returned that are called false positives. These are results that show as a problem but are in fact in this instance known and required for the service to run. The company will then remediate the findings. Depending on the level of service bought a retest maybe conducted to confirm that the gaps have been remediated.

What tools do penetration testers use?

Penetration testers use all the tools are that their disposal. There are a tools that are designed specifically for penetration testing and their are tools that can be applied to a penetration testing scenario. Whilst standards will rely on certain tool sets penetration testers develop their own toolsets to meet the challenging needs of the environments and systems they will encounter.

How do you deal with pen test findings effectively?

The best way I’ve found to do this over the years is as simple as sitting down in a session with the risk owner (usually a product or project owner), their technical team, and a security representative. Make it clear that it’s the decision of the risk owner whether to remediate or not, given the potential impact and the effort, and that security and the technical team are just there to advise on risks and costs. If the risk owner isn’t comfortable being accountable due to the level of risk for a finding, and the effort to remediate is greater than can be met, then the risk should be escalated until either someone can accept it, or provide the extra resource needed. – read more.

Why is penetration testing important?

A penetration is important because it will highlight how an attacker can attack you, where your vulnerabilities are and how to protect yourself. Technology is ever changing and system weakness and configuration weakness can allow people to either access your information or bring your system down preventing you from doing business. A penetration test should highlight those areas that are weak and allow you to fix them.

Need help finding a Pen Testing solution company?

ALLOWLIST contact Banner