A vulnerability scan uses automated scans to discover known vulnerabilities. These vulnerabilities are then reported. It is an important first step in understanding potential weaknesses within a system.
A pentest goes one step further. During a pentest, not only are vulnerabilities identified, but they are actually exploited. This demonstrates what the actual consequence may be to a system or environment when compromised. The ethical hacker will use his experience and creativity to identify all the weaknesses of an environment, giving the organization a more realistic picture of the risks they face.

Penetration test or vulnerability assessment? – Have a Pentest Performed – Contact NFIR Now

Depending on the size of the job, a careful assessment is made as to whether multiple people should be put on a pentest to reduce the length of the job. The duration of a pentest can vary depending on the environment being tested and the complexity of the attack scenarios being used. Generally, a pentest covers a period of 2 to 4 weeks. This period includes not only the execution of the test itself, but also the preparation, analysis and explanation of the final report.

A pentest (penetration test) is necessary because companies are often unaware of vulnerabilities in their network and systems. It is a controlled and authorized attempt to evaluate security through a simulated attack. The main reasons for a pentest include vulnerability identification, risk management, regulatory compliance, evaluation of new applications and changes, protection of customer data, and building trust with customers and stakeholders. Conducting regular pentests is essential to improve security and prepare for potential attacks.

• For example, a pen test is useful to:
  Assess your current situation for vulnerabilities.
• Detect vulnerabilities before the release of new applications.
• Check weaknesses after changes to infrastructure or applications.
• Comply with corporate policies, standards and/or legislation that require periodic security assessments.
• Test your Cybersecurity maturity against the detection methods you have implemented.

When performing a pentest, various international standards and methodologies are used to discover and classify vulnerabilities.

Some of the key standards applicable to the assignment include:

• Penetration Testing Execution Standard (PTES): methodology for the purpose of infrastructure pen testing.
• OWASP WSTG: Standard for the purpose of Web application pentesting.
• OWASP Top 10: The 10 most critical web application vulnerabilities.
• OWASP API Security Top 10: The 10 most critical API vulnerabilities.
• OWASP MASTG: Standard for the purpose of mobile application pentesting.
• Common Vulnerability Scoring System (CVSS): Used to classify the severity of vulnerabilities.

By using these standards, a pentest can be performed in a structured and thorough manner, and the results can be reported in a clear and comparable way.

Our pentesters have a large amount of experience, a lot of creativity and up-to-date expertise. The NFIR pentesters have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements.

A Black Box pentest means that no information about the environment is shared with the pen testers beforehand. With a pentest based on the White Box principle, all information about the environment is shared in advance. If you are having a pentest performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.

• OWASP WSTG

The Web Security Testing Guide (WSTG) project is the premier cybersecurity testing resource for Web application developers and security professionals. The WSTG is a comprehensive guide to testing the security of Web applications and Web services. Created through the combined efforts of cybersecurity professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations around the world.

• OWASP MASTG

The OWASP Mobile Application Security Testing guide is a mobile app security standard and comprehensive testing guide that covers the processes, techniques and tools used during a mobile app security test, as well as a comprehensive set of test cases that allow testers to deliver consistent and complete results.

The Penetration Testing Execution Standard (PTES) consists of several main components. These cover everything about a penetration test, namely:

1. The initial communication and reasoning behind a pentest;
2. The information gathering and threat modelling phases, where testers work behind the scenes to gain a better understanding of the tested organisation;
3. Vulnerability assessment, exploitation and post-exploitation, which addresses the technical security expertise of the testers and combines it with the business insight of the assignment;
4. Reporting, which captures the entire process in a way that makes sense to the customer and provides them with the most value.

The Common Vulnerability Scoring System (CVSS) standard provides an open framework for disclosing the characteristics and consequences of software and hardware security vulnerabilities. The quantitative model is designed to ensure consistent and accurate measurement while allowing users to see the underlying vulnerability characteristics used to generate the scores.