A pentest is a quick, easy to plan, and – most importantly – affordable security audit to determine the security of systems at a given time.
It offers a large degree of transparency and therefore often serves as an objective proof of the careful handling of trustworthy data within a company.
Typically, pentests are performed on individual systems in the course of acceptance tests immediately before going live.
Afterwards, pentests should be repeated periodically as part of information security management, ideally based on each other and decoupled from the release cycle.
Just before commissioning a system just to comply with legal compliance, a pentest often puts more stress and problems into the project than at an earlier point in the project. Especially if there were no security checks before and the last project phases are usually very hectic even without a pentesting.
In addition, vulnerabilities found can sometimes be so critical that they need to be rectified immediately. In the case of security risks in architecture, this can in the worst case be a new development.
Pententation tests cause expenses in the range of one to three digit person days. There are essentially two factors in play: The criticality of the systems and the complexity of the systems in each scope. The more complex and critical the application is by its data, e.g. canteen digital menu plan versus financial transaction data, the higher the (time) budget for a single or repeated pentesting should be scheduled in the project.
SEC Consult conducts more than 600 pen tests worldwide every year. Particularly sensitive but recurring sources of error are, for example, database connections, login procedures, integration of external sources, central input and output validation.
A certain amount of information about the systems is available to the pentester during a penetration test. The range goes from no information – a so-called black box test – to complete documentation including adminstrator accounts with appropriate access rights – a so-called Whitebox test. All interpretations of the level of detail in between are called Greybox Test.
SEC Consult offers another verification method, the Glassbox Test. Auditors have complete information about the application and even the source code of the relevant parts of the scope available.