Are your applications and services adequately protected from attackers?
Hacker attacks can damage your company image and threaten your very existence, as they cause a loss of public confidence.
Once your data are in the wrong hands, they are often misused and resold to criminals. This scenario is a nightmare for every one of your customers.
The EU Data Protection Basic Regulation (EU-DSGVO), which came into force on 25 May 2018, means that the loss of customer data can result in penalties and associated financial losses.
Hacker attacks, in particular malware attacks, can affect your business operations or even bring them to a standstill.
Web penetration tests are planned, performed and evaluated by our specially trained analysts according to recognized standards.
Penetration tests carried out by us are an agile process and are carried out in close consultation with the customer.
The preparation of the pentest takes place in the context of a kick-off meeting with the technical and organizational responsible persons of your company. The framework conditions to be tested are specified, necessary user accounts and access routes are agreed, contact persons and escalation routes are defined and the pentest is discussed in detail together.
Our analysts try to collect as much information as possible. Based on this information, analysis strategies are developed to identify possible attack vectors. These attack vectors are then examined for vulnerabilities in extensive tests.
In this phase, an attempt is made to actively exploit the identified vulnerabilities in order to gain access to the target systems. Depending on the service or technical environment, our pentester writes new exploits or uses existing ones. Potential vulnerabilities can turn out to be false positives. Only verified vulnerabilities are included in the final report and classified according to their criticality.
You will receive a comprehensive final report consisting of a Management Summary and a Technical Report. The criticality of the weak points and recommendations for action are described in detail.
In this phase, the identified weak points are eliminated by your company. If required, you will be supported by our experienced security engineers.
After the remediation you have the opportunity to have us carry out a follow-up check. Here we check the effectiveness of your measures and adjust the result report.
In this final discussion, all critical points in the results report are discussed and all final questions clarified.
We have developed a comprehensive reporting format that provides optimal insight into our work and its results.
The following section describes our test modules. Basically, the longer our analysts examine your web application, the more meaningful the results will be. If you have special requirements, we will be happy to make you an individual offer.
In the following we have compiled an overview of frequently asked questions. If you have any further questions, please do not hesitate to contact us.
The individual test types differ in scope and time required. Basically, the longer the test period, the more meaningful the results.
Security analyses are usually carried out remotely by us. If your application cannot be reached externally, our analysts will be happy to assist you in setting up remote access. If this is also not possible, our analysts will visit your company and carry out the security analysis on site. Please note that on-site tests are subject to additional costs and time restrictions.
The OWASP Top 10 project serves to identify and explain the most common vulnerabilities of web applications. It represents a broad consensus on the most critical security risks for web applications and thus increases the transparency and effectiveness of our work.
OWASP Testing Guide provides a test guide that defines procedures and techniques used to test the most common security vulnerabilities in applications. The guide has evolved into a de facto standard for performing security analysis of Web applications.
In the whitebox process, our analysts have access to and knowledge of the development of the software (source code and any existing documentation). The Greybox method is a technique for testing the software product with partial knowledge of the internal functioning of an application. With the black box method, on the other hand, the testers have no access to and knowledge of the software.
Despite thorough review, little or no vulnerabilities may be identified. Thanks to our comprehensive final report, however, they can still optimally understand our work.
We offer you individual subscriptions and an attractive discount for regular customers. With these pricing models, your projects enjoy the highest priority.
For an iterative review in the development process, turingpoint GmbH offers DevOps security consulting, for example.
Our security engineers cover tools, processes and methods for the design, implementation and testing of secure IT system applications. Security engineering ensures that the specification is met under the intended security conditions.
Despite the fact that crashes or even data loss are very rare during our security analysis, we generally recommend that you create a backup of the target system.
If a backend or secured user areas are to be checked, exemplary logon data is required in order to be able to examine all application sections.
If your web application is under high load during our business hours (weekdays, 8-20 o'clock) or the reliability is not guaranteed during this period, it is also possible to carry out tests outside our business hours. Please note that we charge a surcharge in such cases.
The time period to plan for our web pentests depends on the type of test you choose and the complexity of your web application. For our basic test we plan 1-2 working days, the standard test 1 week and the comprehensive test 2 weeks. In addition, our analysts need time to prepare the final report.
Our self-developed web application verification tools can generate high traffic on the target system. If our analysts or their IT team experience performance problems during the security analysis, we can throttle our software.
Thanks to our flexible processes, we can also start your time-critical project at short notice.
Our analysts use their many years of experience and tools, such as self-developed software, to find security problems in your web application.
As part of the kick-off discussion, our analysts agree with you on a contact person to whom critical weak points can be reported during the security analysis.
We use common tools like OWASP ZAP, BurpSuite, SQLMap. However, our work is based on a self-developed software, which is constantly extended and improved by us.
It cannot be avoided that confidential data can become visible during the security analysis. In principle, an NDA (Non-Disclosure Agreement) is to be agreed before the security analysis begins.
In principle, our analysts do not carry out any Denial of Service (DoS) attacks. However, due to the high number of page views by our software, it can happen that our test is identified as a Denial of Service (DoS) attack.
A risk of failure of the target system cannot be ruled out during a safety analysis. You should therefore have up-to-date backups and the responsible IT team should be available. If available, the test should be performed on a test or acceptance system.
The preparation of the final report is part of our offer and takes about 2 additional days.
In our dynamic HTML format, content and vulnerability finds can be filtered, sorted and exported to other formats. This allows your IT team to process the finds more efficiently.
Our work can be optimally understood through our comprehensive final report. We document not only the findings, but also the actions of our analysts.
An optional re-test can take place once your IT team has resolved the previously identified vulnerabilities. This is not a full security analysis, but simply a re-testing of the previously identified security issues.
In our comprehensive reporting format, our analysts document measures with which the identified security problems can be resolved. Should you require technical support, we will be happy to make you an individual offer for advice from our security engineers.
The final meeting can be held in your company for a flat-rate travel allowance as part of a presentation.