A pentest is a quick, easy to plan, and – most importantly – affordable security audit to determine the security of systems at a given time. It offers a high level of transparency and therefore often serves as an objective proof of the careful handling of trustworthy data within a company.
- Risk assessment
- Detailed report
- Hands-on solutions
- Certified security experts
When is the best time to do a pen test?
Typically, pentests are performed on individual systems in the course of acceptance tests immediately before going live. Afterwards, pentests should be repeated periodically as part of information security management, ideally based on each other and decoupled from the release cycle.
Alternatives to pen testing
For customers who prefer DevOps as a development method, SEC Consult offers AppSecMon, a continuous security review service at predictable cost. Furthermore, the cost of coordinating and preparing individual, individual security checks is reduced in this alternative to classic pentesting.
When is the worst time to schedule a pen test?
Just before commissioning a system just to comply with legal compliance, a pentest often puts more stress and problems into the project than at an earlier point in the project. Especially if there were no security checks before and the last project phases are usually very hectic even without a pentesting. In addition, vulnerabilities found can sometimes be so critical that they need to be rectified immediately. In the case of security risks in architecture, this can in the worst case be a new development.
How much does a pen test cost?
Pententation tests cause expenses in the range of one to three digit person days. There are essentially two factors in play: The criticality of the systems and the complexity of the systems in each scope. The more complex and critical the application is by its data, e.g. canteen digital menu plan versus financial transaction data, the higher the (time) budget for a single or repeated pentesting should be scheduled in the project. SEC Consult conducts more than 600 pen tests worldwide every year. Particularly sensitive but recurring sources of error are, for example, database connections, login procedures, integration of external sources, central input and output validation.
Which pen test to choose?
A certain amount of information about the systems is available to the pentester during a penetration test. The range goes from no information – a so-called black box test – to complete documentation including adminstrator accounts with appropriate access rights – a so-called Whitebox test. All interpretations of the level of detail in between are called Greybox Test. SEC Consult offers yet another verification method, the Glassbox Test. The auditors have complete information about the application and even the source code of the relevant parts of the scope available
SEC Consult offers another verification method, the Glassbox Test. Auditors have complete information about the application and even the source code of the relevant parts of the scope available. Read more about pen testing and its benefits here.