Designed to provide high quality insights for the various organizational domains, our penetration testing covers a wide range of business or security needs. The actual testing methodology consists of commercial and proprietary tools, guided by well-known pentest standards and enriched with manual and hybrid testing methods.
Each of the available penetration testing options can be applied either to one ore more web applications or web services, as well as to your company's infrastructure, internally or externally.
To enhance the value of a penetration test, SpearIT introduces the SpearIT SpearBadge™: an ad-hoc service that establishes trust by declaring your product's security readiness and your due diligence to maintain a security baseline. For more information regarding SpearBadge™ click here.
In cases where transparency and traceability is important, traceID™ reporting method ensures you have clear visibility and traceability over all the exploitation activities and their results, helping you mitigate more efficiently your weaknesses with reporting compatibility. For more information regarding traceID™ click here.
During this phase, an operational environment is discussed and established with the help of written/verbal communication & scoping questionnaires, defining:
Legislational/compliance obligations related to pentesting activities
Which assets of the organization are to be tested and which are excluded
Allowed types of attacks
Testing period and timezones
Means of communication
2. Information Gathering
Passive OSINT (Open Source Intelligence) techniques are used in combination with neutral observation actions in order to collect as much information as possible regarding the targets to be tested. The more the information, the most attack vectors can be crafted. The intelligence gathered can be of the following types:
Leaked document and other file types by various search engines
Exposed robots.txt file
Past credential leaks
Forum posts by developers
A plethora of automated tools and manual scanning methods is utilized in order to discover possible entry points and attack vectors. The results will be used as a springboard for implementing exploitation attempts:
Exposed backup/config files
Known vulnerabilities (CVE, CVSS, etc.)
Based on the findings of the previous steps, proper attack vectors are designed and executed in order to exploit the detected vulnerabilities/flaws and penetrate into the application. The attacks can be against:
Infrastructure Configuration (Web server, Database server, DNS server)
Information Disclosure Issues
Service Availability (DoS)
Reports are a crucial step in a penetration testing engagement as the cornerstone deliverable which provide meaningful insights regarding the security posture of your organization, along with remediation recommendation for each detected risk. Our reports are built upon the following elements:
Executive summary for the management board, C-level executives
Intelligence report for mid-level roles
Detailed Technical report regarding the findings
Prioritized risk-based reporting
Traceability steps for each finding (traceID ™)
Security readiness badge (SpearBadge ™)
6. Mitigation Verification
SpearIT can additionally offer mitigation verification services, which are executed after a penetration test report delivery and ensure the continuous and proper security readiness of your organization against known threats. The verification procedure aims to approve the proper implementation of the proposed mitigation measures and to detect any new vulnerability which may arise from the reconfiguration activities which would probably occur in the context of mitigation.