Pentest
We identify gateways into systems and applications and reduce your risk
Protect your systems proactively
If vulnerabilities in your systems and applications are not detected and closed in time, attackers can compromise your systems. This can lead to a loss of confidentiality, integrity and availability of your data. Are your systems properly protected?
A penetration test, or pentest for short, is an effective IT security measure to analyze the security level of your systems and applications and is often required to comply with compliance requirements. In usd pentests, our security analysts assume the role of a hacker and attempt to penetrate your company’s IT systems in a targeted, customized and creative manner using the same methods and means that attackers would use. This way we identify potential vulnerabilities and points of attack at an early stage so that you can correct them before they can be exploited by an attacker.
What are your drivers?
Conducting a penetration test allows you to identify possible risks and ensures that your partners and service providers comply with a wide range of regulations.
| You are required by regulatory, contractual or internal requirements to perform printer tests. |
| You need a successfully conducted penetration test to conclude a cyber insurance policy |
| Your employees work on a mobile basis and you do not want to offer attackers any gateways |
| As a hardware or software manufacturer, you are serious about protecting your customers’ data. |
| You place the highest demands on the security of your own IT infrastructure, as well as on those of your partners and service providers. |
| You do not want to lose your customers’ trust and protect your company from financial and reputational losses |
How do we get started?
Some preparatory steps are necessary before the actual pentest can be conducted in order to guarantee that the analysis is optimally tailored to your company. Important criteria for defining your scope are the need for protection, possible risks of compromise and the time allocated for the pentest. Based on these preliminary considerations, we define the scope and possible attack scenarios.
Guaranteed quality and transparency
Our pentest portfolio
Systems
Servers, work stations and network components
IT system security is one of the most important aspects of corporate security. After a successful attack, attackers exploit vulnerabilities on network and system levels to spread in the corporate network.
Web applications
Web applications and services
Web applications are an essenital part of our daily work. However, their wide-spread use holds certain risks, as web applications often process and exchange sensitive data. This turns web applications into popular targets for attackers.
Mobile applications
Android & iOS
Mobile applications, or apps for short, are gaining in importance and popularity. Sensitive information is transmitted and also stored directly on end devices. Vulnerabilities allow attackers to access user data or even the company’s internal network.
Cloud
AWS, Azure & Google Cloud Platform
Security considerations cannot be dismissed when moving data to the cloud. As a user you must ensure the security of your data. It is therefore crucial that you evaluate the security of your cloud environment.
Fat Clients
Native applications on Windows and Unix systems
Companies icreasingly use so-called fat clients, which run natively on the operating system and are not available through the Browser. These applications are often developed in-house and can pose a high risk to corporate security.
Mainframes
Systems and applications
Mainframes are generally regarded as particularly robust and secure. But even here, errors in development, configuration and operation can lead to vulnerabilities with consequences that threaten the existence of companies. For this reason, security checks should be carried out regularly.
Workstation
Security vulnerabilities in applications and incorrectly configured system services are ideal entry points for malware to infect individual computers or an entire network. Workstations or clients, such as Windows notebooks, are often the entry point.
SAP Infrastructure
SAP systems and FIORI web applications
The company's own SAP systems are often one of the most critical areas for the IT security organization of a company. Exploiting a vulnerability in such an environment can have serious and sometimes substantial consequences.
Single sign-on (SSO)
Open ID Connect 1.0, OAuth 2.0, SAML
SSO holds opportunities but also many risks. Misconfigurations or weaknesses in the implemented solution can pose substantial risks, including compromising the confidentiality, integrity, and availability of application and user data.
Individual Testing Areas
Are you looking for a pentest of a component you could not find above? We can certainly analyze your environment, such as:
- WLAN
- VoIP telephone system
- Mobile application management
- Mobile device management
- Business software, such as SAP
- and much more
What we do
Ihr Titel
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
Preperation and kick-off
Our Pentest Service Management supports you in the acquisition of information, documents and information relevant for the kick-off. The pentest is prepared at a kick-off meeting with the responsible technical and organizational specialists of your company. In this meeting, we specify the IT systems to be tested, coordinate necessary user accounts and access channels, define contact partners and escalation channels and discuss the test procedure in detail.
We conduct our pentests primarily on the basis of a Greybox apporach. On request, we can conduct our pentests on the basis of a black- or Whitebox approach.
Examination
We will inform you in time about the start date and send you a reminder in advance. Subsequently, our security analysts will start with the pentest in consideration of the criteria specified in the kick-off. The pentest can be conducted on your site or from usd AG’s high-security network via Internet. Our usd OrangeBox can support you in establishing the VPN connection. We stay in constant dialogue with you throughout the entire analysis and keep you informed about progress and status on a daily basis.
First of all, the systems and applications to be tested are analyzed for their attack surface. Potential vulnerabilities can be identified and verified by using different techniques and applying well-established tools as well as our usd HeroLab Toolchain. Attack scenarios as well as the exploitation of identified, potential vulnerabilities, which could with a high probability affect the availability of IT systems and applications, are discussed with you on a case-by-case basis and only carried out after your explicit approval.
Report
Remediation
The remediation phase comprises the most important steps after technical secuirity analysis have been conducted. Here, your company eliminates the identified vulnerabilities based on the recommendation of your security analysts. Optionally, we provide the best possible support for you.
Retest and report adjustment
Your advantage at a glace
Ihr Titel
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
Preparation & follow-up
Organizing pentest can be very complex if a large number of systems and applications are in use. On demand, we can provide you with comprehensive support in organizing and following up your pentests. Please feel free to contact us.
Top Expertise
Services provided by highly qualified security analysts who are certified according to the “usd HeroLab Certified Professional” (UCP) and internationally recognized standards.
Internationale Standards & Compliance
When conducting penetration tests, we take the following international standards and best practices into account:
- Payment Card Industry Data Security Standard (PCI DSS)
- Open Source Security Testing Methodology Manual (OSSTMM)
- Technical Guide to Information Security Testing and Assessment (NIST SP800-115)
- Recommendations of the German Federal Office for Information Security (BSI)
- Open Web Application Security Project (OWASP)
We will be happy to tailor our process model to the requirements of your company and help you to meet your regulatory requirements.
Comprehensibility & transparency
Increased transparency through comprehensible documentation of the procedure, the identified vulnerabilities and all performed analyses.
Evaluation & recommendation
Comprehensive report including an overall security recommendation, risk assessment and recommended corrective measures.
Besides our own risk rating, we offer vulnerability scoring according to internationally recognized metrics (for example Common Weakness Scoring System (CWSS) or Common Vulnerability Scoring System (CVSS)).
Automation & reproducibility
Conducting a reproducible, high quality analysis for weak points in your garden gates by the efficient use of our usd HeroLab Toolchain as well as tools from internationally recognized manufacturers.
