This article is intended to encourage public discourse about security awareness and work together towards fixing the Internet. No security tool will solve the problem, we need a shift in mentality to do that.
- What is a vulnerability?
- What is an exploit?
- What is proof of concept?
- What is penetration test?
- White, gray or box penetration test?
- What is the definition of severity?
- What is the definition of likelihood?
- What is the definition of risk?
- How much does it cost?
- How long does it take for a test?
- What exactly is being tested?
- What is a retest?
- What does the result of the test show?
- How are vulnerabilities scored?
- What language are the results in?
- What happens when a critical vulnerability was found?
- What services will you offer next?
What is a vulnerability?
Vulnerabilities are weaknesses in applications, that can be abused by a threat actor to perform unauthorized actions within the system.
What is an exploit?
Exploit is a piece of software that takes advantage of a vulnerability, causing unintended behaviour. It can take many forms, and highly depends on the application in question.
What is proof of concept?
We offer clients in addition to a full report, proof of concept scripts, to demonstrate the feasability of the exploit and to help customers reproduce our findings.
What is penetration test?
A penetration test is an authorized simulated attack on a computer system, performed to evaluate the security of this system. The final product of the test is usually a PDF report, explaining the findings.
White, gray or box penetration test?
Depending on the amount of information with which we start, a test is called a black box, gray box or white box pentest. In a black box pentest, we get no additional information, simulating a third party with public information. A white box test is the opposite, giving us full information going all the way to the inspection of the source code. The most frequently used is the gray box pentest, which is a compromise between the two, giving maximum information, but no provision of the source code. The effort needed to complete the project increases with the amount of information we start with, but so do the findings. Some issues can only be discovered by reading the source code, so a balance needs to be found.
What is the definition of severity?
Depending on the damage a vulnerability can cause, we assign them as minor, moderate and severe impact. The severity is calculated using Common Vulnerability Scoring System (CVSS).
What is the definition of likelihood?
Likelihood is our estimation of how probable is it for an attacker to exploit this particular vulnerability. We classify the findings likelihood as unlikely, possible, and likely. The likelihood is estimated from the relevant Common Weakness Enumeration (CWE) adjusted to the application in question.
What is the definition of risk?
Risk assessment values are determined by this formula:
Risk Rating = Likelihood x Severity. The higher the risk rating, the greater the overall risk for the project. This helps balance the weight of severity and probability, so for example high severity vulnerabilities that are unlikely to be exploited are ranked lower than moderate severity ones that are certain to be exploited.
Based on risk level, we classify the vulnerabilities in four categories. Vulnerabilities that can cause a disaster are classified as intolerable, if the risk can have a serious impact but can’t be described as a disaster are classified as undesirable, the ones with effects that are not critical to the outcome are tolerable, and vulnerabilities with little effect are acceptable.
How much does it cost?
We cannot tell you in advance without understanding customer's needs and the complexity of the project. We will take a deeper look at the application and its functionalities during and after the kick-off meeting, and we will come back to you soon after with our offers.
How long does it take for a test?
We will give you three offers based on the depth of the test and the amount of time needed to finish the assignment. Your choice of which offer to choose affects the time we'll need to deliver the results and the amount of results we'll manage to deliver.
What exactly is being tested?
We use the kick-off meeting to understand the customer needs, including defining the scope of the assignment and discussing the details of what needs to be tested.
What does the result of the test show?
A penetration test reveals what a threat actor with our set of skills would have discovered during the assigned time period. It does not reveal every single vulnerability in the system, and it is meant to be used as a guide for what the customer needs to focus on in order to improve their security.
What language are the results in?
For now we offer only English, however we plan to do them in German soon too.
What happens when a critical vulnerability was found?
When a high risk vulnerability is discovered during the assignment, we contact the customer immediately and discuss the finding before the project is finished, to ensure that critical issues are fixed as soon as possible.
What services will you offer next?
Next on our roadmap we want to expand our services to offer testing Android applications, internal and external network infrastructure. Long term we plan to offer other things like incident response, source code review, system hardening and other security services.