Independent penetration testing: what we do and why
If you’re looking for penetration testing for your organisation, you’re unlikely to want to compromise. You’re dealing with highly sensitive data - medical, financial or personal - and the risk of disclosure doesn’t bear thinking about.
Except, of course, you have thought about it. You’ve built a highly secure system to protect against malware and supply chain attacks. You just need an authority to examine whether your infrastructure is watertight.
At Datavax we leverage established practices, certified testers and the latest security tools to uphold the highest standards of testing.
We’re independent, and that’s unusual
A lot of companies that provide penetration testing are also trying to sell you something.
Like a mechanic at a garage, they’ll check over your car, see what’s amiss and then offer to fix everything. Now a very trustworthy mechanic might give you a very honest quote. But in general, there’s a reason that MOTs and NCTs take place independently from those who make a living fixing the problems they find.
It’s the same with penetration testing. If a tester’s priorities are split between finding issues and fixing them, their assessments may not be entirely without bias. At Datavax, we’ve chosen to offer testing alone so that you can have full confidence in our findings.
Our Red Team approach simulates a real cyber threat
When it comes to what we can find, we believe we have the edge.
Ultimately when you’re trying to protect against hackers who may be highly proficient, you want testers who are highly proficient too. Testers who are capable of finding any and all security weaknesses ethically before they’re discovered illegally.
Hackers are humans, capable of using human creativity to exploit exposed vulnerabilities. So our testers, likewise, don’t rely solely on automatic tools for our tests.
Now, we do make use of some of the strongest tools available, including Burp Suite Spider, Nikto and Dirbuster. But for our web application testing, automation only accounts for 25% of our Red Team penetration method. Our CREST-certified testers (the Red Team), expend most of their efforts creatively using this auto-gathered information to see if they can get past the security of your organisation (the Blue Team), simulating a real-world threat.
We uncover security gaps that other teams might not find
Our ethical hackers are, if we may say so, some of the best in the field. Our team has a mixture of certifications including CREST and have extensive experience in testing methodologies. We also put a senior penetration tester on every project to ensure we don't miss even the most complex or hard-to-find vulnerabilities.
And we do find them. We’ve found cookies that would have allowed a hacker to create a new Administrator level account and wreak havoc. We’ve identified a cached post-authenticated client session that would allow for PII information leaks. We’ve even discovered an SQL Injection that enabled us to download a database table full of unencrypted credit card information - for hundreds of customers.
Because the companies in question hired us, the gaps in security were discovered by ethical hackers, and not the other kind. They didn’t have to pay out fines, deal with reputation damage, or face a single hiccup in their operations. They could simply address the issue and continue to serve their customers with peace of mind.
We’re personally on hand from start to finish
Even when you know that the test is necessary, that the threat is a simulated one, and that you’re hiring a CREST-certified team, it’s still a little unnerving to let anyone hack your organisation.
That’s why we ensure you have a dedicated contact from the early scoping stages right through to the end of the project. Your project manager will help demystify the process, be on hand to answer any questions, notify you if any critical issues are found, and ensure the entire project is efficient.
Your dedicated project manager will never close a project until you are happy and your team understands both our reporting and the actions they need to take. We want to offer support for as long as we can be useful and make the experience as positive as possible.
Some penetration testing companies might choose to be faceless but from our perspective our people are an important part of the package. While the human side of what we do might not seem as important as our technical rigour, the companies we work with come to highly value it:
“Working with the team at Datavax was a joy. From the outset they were warm, friendly and professional, and provided clear feedback and advice.” - Chief Technology Officer
“Datavax were very easy to deal with. All queries and requests were responded to promptly and in a pleasant and helpful manner.” - Credit Union Manager
“Datavax provided an excellent service from beginning to end.” - Chief Operating Officer
We provide a senior tester every step of the way
You won’t only get a project manager from the get go, you’ll also get a senior tester.
Your IT team, CTO, COO or consultant will be able to ask our senior tester highly technical questions. In return, they’ll be able to ask your team questions that a less experienced tester wouldn’t know or be confident enough to ask. This senior input enables us to scope out your infrastructure in a more defined way. As a result, you get a more accurate quote and our team will be able to put their efforts where it counts.
When you need to bundle several tests together (web, app and social engineering, for instance) a senior tester will have the experience needed to schedule these according to your priorities. If a less experienced tester was left to do this, it would be much more of a guessing game. But our team setup enables you to get better value in a clearer timeframe.
Finally, our experience and responsiveness ensures no time is wasted. During the scoping stages, a senior tester might highlight an issue that you can sort straight away, even before we begin testing. Also, once testing begins, if critical gaps are discovered in your security, our team will feed this back to you in real time so you resolve the issue fast.
To learn more about what we do and how we do it, don’t hesitate to get in touch.