Penetration Testing Services
Network Penetration Testing
The more access your customers and employees have to your networks and systems, the more potential entry points a malicious attacker has. With different types of networks available, it stands to reason that penetration tests are specifically designed for each of their unique security threats.
A Network Penetration Test can be performed on different networks, such as internal, external, and wireless networks.
Here's a more in-depth look at the different types of network penetration tests offered by TraceSecurity:
Wireless Penetration Testing
Wireless networks are essential to business, for both employees and customers. Whether your wireless network is publicly facing or only used internally, it still presents a potential access point for bad actors.
Our Wireless Assessment & Penetration Test is designed to review the configurations of your wireless networks, the ways it's connected to other areas of your networks, and manual exploitation to see what could be compromised. Common findings include wireless network range adjustments, network segmentation, and monitoring public accessibility.
Application Penetration Testing
Applications are typically your most public exposure point, which makes them at high risk of exposing sensitive information or allowing unauthorized access. These could be web applications, mobile applications for iOS, Android, or tablets, or even the APIs used to connect your various applications.
Our Application Security Testing is based on the OWASP Top 10 guidance for web applications, mobile applications, and APIs, incorporated into our proprietary testing methodology. It's important to determine if your app is a target due to application-layer vulnerabilities such as cross-site scripting or injection attacks, whether it's during or after development. You should perform App Security Testing at least once per year, or anytime there are significant changes or updates to the application.
PCI DSS Penetration Testing
Since 2015, PCI DSS Requirement 11 mandates any company that processes, stores, or transmits electronic card transactions is required to perform a yearly PCI DSS Penetration Test. You are also required to perform this type of testing if there are any significant changes to your network infrastructure. Beyond the compliance requirements, your company wants and needs to protect your customer data. If an attacker were able to get to this sensitive information, it could be devastating to your business and your reputation.
Our PCI DSS Penetration Testing involves a network scan for vulnerabilities, followed by manual testing that mimics real-world techniques that attackers are using today. If you’ve recently had a change to your network environment, we can help ensure that any controls in place are working effectively after the upgrade or migration. To show improvement, our PCI DSS Penetration Testing engagements can include a retest once you’ve completed remediation on vulnerabilities found the first time around.
Black Box, White Box, & Gray Box
If you're familiar with penetration testing, you've probably heard the these terms thrown around. Black, White, and Gray Box Testing has to do with the level of network access granted to the analyst performing the tests.
A black box test involves the analyst using publicly available information to discover the IP addresses to be included in the test. With no prior knowledge of your external systems given to the analyst in advance, they are able to better emulate a real-world attack through active system discovery.
During a white box test, the analyst is given white-listing permission to the network(s). This allows for a comprehensive test of all areas within that network, not just what is publicly available. Though it's less of a real-world simulation, a white box test typically identifies more vulnerabilities even if an external attacker might not be able to access them.
Gray box testing is a little in between. The analyst is given some access to your systems with user-level permissions, including network architecture and an internal account on the network. This is designed to test the security inside your external defenses like firewalls and IDS/IPS.