Penetration Testing

Network Penetration Testing

The more access your customers and employees have to your networks and systems, the more potential entry points there are for a malicious attacker. With different types of networks available, it stands to reason that there are penetration tests specifically designed for each of their unique security threats.

A Network Penetration Test can be performed on any type of network that you have, such as internal, external, and wireless networks. TraceSecurity also offers a collaborative penetration test, called Purple Team Penetration Testing, that involves coordination of our Red Team and your Blue Team to verify your internal detection as the ethical hacks occur.

Application Security Testing

Applications are typically your most public exposure point, which makes them at high risk of exposing sensitive information or allowing unauthorized access. These could be web applications, mobile applications for iOS, Android, or tablets, or even the APIs used to connect your various applications.

Our Application Testing is based on the OWASP Top 10 guidance for web applications, mobile applications, and APIs, incorporated into our proprietary testing methodology. It's important to determine if your app is a target due to application-layer vulnerabilities such as cross-site scripting or injection attacks, whether it's during or after development. You should perform App Security Testing at least once per year, or anytime there are significant changes or updates to the application.

PCI DSS Penetration Testing

Since 2015, PCI DSS Requirement 11 mandates any company that processes, stores, or transmits electronic card transactions is required to perform a yearly PCI DSS Penetration Test. You are also required to perform this type of testing if there are any significant changes to your network infrastructure. Beyond the compliance requirements, your company wants and needs to protect your customer data. If an attacker were able to get to this sensitive information, it could be devastating to your business and your reputation.

Our PCI DSS Penetration Testing involves a network scan for vulnerabilities, followed by manual testing that mimics real-world techniques that attackers are using today. If you’ve recently had a change to your network environment, we can help ensure that any controls in place are working effectively after the upgrade or migration. To show improvement, our PCI DSS Penetration Testing engagements include a retest once you’ve completed remediation on vulnerabilities found the first time around.

Black Box, White Box, & Gray Box

If you're familiar with penetration testing, you've probably heard the these terms thrown around. Black, White, and Gray Box Testing has to do with the level of network access granted to the analyst performing the tests.

A black box test involves the analyst using publicly available information to discover the IP addresses to be included in the test. With no prior knowledge of your external systems given to the analyst in advance, they are able to better emulate a real-world attack through active system discovery.

During a white box test, the analyst is given white-listing permission to the network(s). This allows for a comprehensive test of all areas within that network, not just what is publicly available. Though it's less of a real-world simulation, a white box test typically identifies more vulnerabilities even if an external attacker might not be able to access them.

Gray box testing is a little in between. The analyst is given some access to your systems with user-level permissions, including network architecture and an internal account on the network. This is designed to test the security inside your external defenses like firewalls and IDS/IPS.