POSSIBILITIES AND APPROACH FOR PEN TEST

Pen testing can serve multiple purposes. To give you an idea of this, we have made the following layout for you: 

Agile pentesting
Compliance pentesting
Continuous pentesting. 

The approach is almost the same for all three pen tests. We can roughly divide the performance of our tests into 3 different phases: preparation, implementation and reporting. 

Possibilities

Agile Pentesting 

Agile pen tests are aimed at providing insight into security risks as early as possible. This can still be done in the development phase of an application or system. 

You indicate in which sprint a pen test is required, and we provide the expertise at the requested time. This can be done right from the start of a project. The sooner security is included in the sprints, the easier it is to comply with the ‘privacy by design’ and ‘security by design’ principle. 

Compliance Pentesting 

Mature organisations periodically carry out pen tests to test the effectiveness of the management and security measures taken. Organisations with an ISO 27001 or NEN 7510 certification must have a pen test performed by an independent party at least once a year. 

There is often a need for a pen test that involves testing according to a certain framework of standards. The official reporting is necessary to provide internal and external parties with insight into the risks, the solutions and the recommendations. 

These include standards frameworks such as: 

OWASP Application Security Verification Standard (ASVS)
OWASP Mobile Application Security Verification Standard (MASVS)
NCSC ICT security guidelines for web applications (DigiD assessment)
NIST Technical Guide to Information Security Testing (800-115)
Baseline Government Information Security (BIO)
MITRE ATT&CK Framework. 

Continuous Pentesting 

The number of organisations that continuously perform pen tests and security checks on the infrastructure and applications is still small. In addition to using various security tools, testing of security controls is also automated. This provides continuous insight into the current risks in the field of information security and privacy protection. 

Continuous pentesting goes beyond the work of a pentester. In addition, the CISO’s periodic checks are also automated so that they are performed periodically and consistently. This service can also be supplemented with our SOC/SIEM solution for Continuous Automated Pentesting. 

Approach

First, in an intake interview with your organisation, we determine the principles and scope of the penetration test to be performed. We will prepare a quote based on this information. 

Rules of engagement 

If your organisation requests a test, you sign an indemnity statement for performing the pen tests. The indemnification is only valid for the term stated in the indemnification statement. This statement also includes a confidentiality clause. If your organisation wishes an additional confidentiality statement or processing agreement, we would be happy to cooperate. 

Start with you quickly 

The schedule is always determined in consultation with you. Tests can generally start with us within 14 days. 

We can perform the pen tests remote or at your location. In this way, we mutually gain the best insight into the risks. Our experience also shows that our presence contributes to awareness of security risks. 

Report 

It is agreed in advance whether a report is desired and, if so, how this should take shape. 

In the case of Agile pentesting, the findings are placed directly on the backlog of the DevOps team. Usually, a short report of the work performed, and a list of registered backlog items is sufficient for an auditor. 

Compliancy pentesting requires an official report containing the management summary, the findings, the solutions and recommendations. The report can be drawn up in either Dutch or English.