Q: What is a penetration test?
A: A penetration test (also known as a pen test or a pentest) is an authorized cyberattack against a company's network. The test is conducted to check the security application for exploitable vulnerabilities that could access hackers and other cybercriminals. During the test, a cybersecurity professional runs controlled simulated attacks against the network's defenses.
Penetration tests are always conducted under controlled conditions that simulate various scenarios used by a real attacker. Penetration tests go well beyond basic vulnerabilities. Penetration tests scan the network for any vulnerabilities—large or small—that could be used by a hacker to gain access to sensitive data such as financial information, personally identifiable information, company assets, customer/client data, information on business partners, and more.
Our tests utilize disciplined and repeatable methodology, which results in a detailed report that identifies vulnerabilities and includes recommendations on how to remedy these issues to improve their environment's security. Security improvements make it more difficult for a malicious actor to gain access to the system.
Q: What are the goals of a penetration test?
A: The goal of a pentest is to evaluate all security measures' effectiveness on a network. The pentest results are aimed at documenting specific vulnerabilities and supplying recommendations on how to fix these issues. Penetration test results are geared to supply a deliverable report that includes:
- Executive summary: which covers the basics of the testing and any issues that were found. The report should also include the next steps to fix any issues that were found during the pentest.
- Summary of vulnerabilities: this is a list of the security issues found during the penetration test. Vulnerabilities may be grouped by category, severity, etc.
- Test team details: this should include the name of each tester involved in the pentest.
- List of tools used: this should include a list of each tool used and its function. The reason to include this list is to make sure the tests are accurate and repeatable if the assessments need to be done again.
- A copy of the original scope of work: detailing what was performed, expectations, etc.
The report's main body includes the details of all vulnerabilities that were detected and how each one might be exploited, including the likelihood of exploitation.
Q: Why do we need a penetration test?
A: Penetration tests are important for various reasons, including:
Your industry may have regulations that require pentests are performed regularly.
- Pentests can determine if changes in the environment have created vulnerabilities. Changes include upgrades and system reconfiguration.
- Tests can be done during the QA process of software development, preventing security bugs from entering production systems.
- Your customers may require pentesting if your company is involved in data storage. Testing can reassure customers that their data is secure and prove that their assets/services are managed securely.
- Pentests are usually required for internal due diligence to verify the company's current security management of vulnerabilities and possible risks. Test results can also be integrated with an on-going risk assessment and management process.
- Pentests are a valuable tool to check potential acquisition targets have adequate security controls. The test results help the organization preparing or the acquisition to see what vulnerabilities they may be facing, and then use the report to budget the costs involved in fixing these weaknesses.
- During a breach investigation, pen tests can help assess whether or not the company is vulnerable to other security issues, creating a more comprehensive response to the breach.
- Pentesting can also help a company be proactive and run an assessment to check for vulnerabilities that have just been discovered or not widely known/published.
- Penetration testing is an optimal tool to use during the development of new web applications. At specific points during development, pentests can detect flaws. Also, testing can be run before the app is released to ensure all security issues have been found and corrected before users use it.
Q: What can we expect from the pentesting process?
A: This is a highly disciplined process. The company running the tests should keep all stakeholders informed at each crucial stage of the process. And you can also expect the following from a penetration testing company:
- The company to have a thorough, well-coordinated plan and be dedicated to keeping you informed at important stages throughout the testing process.
- A reputable penetration company will have a disciplined, repeatable method they apply.
- Their testing methods should be customized to fit your unique environment and business.
- The testing company should offer a clearly defined:
a. Initiation process
b. Planning process
And they must offer coordinated testing and work to ensure the tests are accurate while providing clear direction to fix any security issues found during the test.
Q: What is the scope of the penetration test?
A: The company will work with you to determine the scope of the testing. The tests must be customized to fit your unique environment and business. Several considerations help determine the scope of a penetration test:
- The type and nature of the business, including types of products and services offered
- Any regulatory compliance requirements and deadlines
- Location/geographic considerations
- Organizational structure
- Company's strategic plans
- Customer expectations, especially if the company stores customer data
- Value of the organization's assets
- Redundancy issues in the environment, which could impact testing
- Network segmentation and connectivity
- Age of various components of the network
- Recent/planned changes to the environment
Q: What are the different options for pentesting?
A: There are several common areas usually selected for testing, including external networks, internal networks, web applications, wireless networks, and employee security awareness (through social engineering). These are generally performed as part of a single comprehensive penetration test, but each one varies in the approach needed for the test.
External network: focuses on the technology that externally faces the Internet. This may include the company website, external network servers, and more. The test begins by looking for potential targets. This can include responding networks, hosts, or services that could be used to gain entry to a secured network. Even if a web application is identified as vulnerable, the security consultant asks for permission to go deeper, checking for exposed services and their relationships. The goal is to check for vulnerabilities that can be used to gain entry to the internal network.
Internal network: these are very similar to external pentests but oriented to the internal network attack vectors rather than the external. An internal pentest is done on the internal network, found behind the perimeter firewalls. The approach is similar to external penetration tests but is conducted remotely, over a jump box. Onsite testing allows the penetration tester to target internal targets such as file servers, individual user workstations, domain controllers, internal application servers, databases, and other connected devices.
Web / API / Mobile applications: these tests are more in-depth and review over 100 specific areas within each web / mobile application. Testing usually starts with information gathering and then goes on to test the following areas:
- Configuration and deployment management
- Identity management
- Session management
- Data validation
- Error handling
- Cryptography strength
- Business logic
- Client-side security
- Reverse engineering
- And other development language-specific tests as needed
Testing offers a comprehensive look at the company's web / mobile applications, intending to identify and evaluate technical vulnerabilities. Testing is usually set up in advance and is authorized by the company. Any credential/packages needed are provided to the security consultant to review perspectives as an unauthorized user and identify various risks that may affect the scoped application security.
Remote social engineering: this type of test is conducted to assess employee security awareness and incident response. It's performed under controlled conditions and uses an intentionally crafted fake malicious website and email campaigns to target employees, or can even test phone contact and other customized attack scenarios. This test is most often conducted after security awareness training or education to check the training effectiveness.
Remediation verification: is used to test vulnerabilities that were previously found and fixed. The test is used to confirm that corrective steps were implemented and are effective.
Q: What qualifications should the penetration testing team have?
A: You'll want to ensure the penetration test provider meets these standards:
- The team should include a dedicated project manager, skilled/experienced test team, resource coordinator(s), and a point of escalation.
- The team should be comprised of individuals who have in-depth experience with multiple technologies, including:
a. Client platforms
b. Server infrastructures
c. Web application development
d. IP networking
- Each member of the team should have valid certifications that are relevant to their roles:
a. Offensive Certified Professional (OSCP)
b. eLearnSecurity (eWPT | eWPTX)
c. Any other Offensive Certification (OSWE | OSCE | OSEE) or equivalents.
d. eCouncil (c|EH)
If the penetration test is conducted to be compliant to meet regulatory requirements, then the team will need additional experience and/or certifications to ensure the methods used are appropriate, and the results are presented correctly. For instance, a pentest conducted to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement 11.3 should be performed by a team with these certifications: PCI QSA and PCI PA-QSA. Some teams may also have additional technology certifications to demonstrate their knowledge and competence.
Q: What documentation should I receive when the test is complete? How are the results documented?
A: When the pentest is complete, you should receive a report that details the test findings, recommendations, and supporting evidence. Besides, the report should also include the scope and boundaries of the testing and when the test was conducted. The report should contain detailed technical information, along with a summary for those who are non-technical. Your report should include the following:
- Detailed recommendations on how to remedy observed vulnerabilities
- Information on how the vulnerabilities may impact the business
- Specific instructions to fix vulnerabilities, including any instructional material that may be required
- Support evidence and examples
- Step-by-step and screen-by-screen walkthrough that shows exploits; this allows you to understand and reproduce each scenario.
- Executive and summary reports for those who are non-technical
- A separate report prepared for third parties (such as customers) who would like proof the penetration test has been conducted.
- All deliverables should be high-quality and reviewed with you, which helps validate the test's accuracy and ensure you understand all recommendations.
Q: How can we validate that vulnerabilities have been fixed?
A: Validating that vulnerabilities have been fixed can be done using in-house testing or by using an external, independent company that performs verification testing. While some companies choose to go with in-house validation, most choose to use an external independent company's services for validation.
This is why it's so important to have the penetration set up in a repeatable manner. And the company that performs the remediation validation testing should not be, as a best practice, the same company that performed the penetration test. Using the same tester is not as reliable as using an independent security consultant to check its work.
Q: How do we prepare for a penetration test?
A: There's no special preparation needed before a penetration test. The pentest will be done at a specific point in time. So, if you run regular patches on Wednesdays or Tuesdays, then just keep to the same schedule. You don't have to change this process to accommodate the pentest. Only adjust this process if it is implicated after the assessment if the test shows some issues that need to be addressed.
However, when planning and coordinating the test, the testing company should include it in the process. They should have documentation that provides details on in-scope IP ranges, and you may need to prepare test environments and support test scenarios defined in the scope.
Other than that, there's not much preparation needed before the pentest.
Q: Should we fix every vulnerability reported?
A: After reviewing the pentest report, you'll need to review each vulnerability using a risk-based model before making any firm decisions. Each vulnerability needs to be evaluated as to how it impacts your business and the probability of this vulnerability being exploited. Then you can assign a risk rating to the specific vulnerability.
It's important to have risk criteria defined to determine if specific vulnerabilities need to be fixed or not.
For those vulnerabilities within an acceptable threshold, you may decide to monitor them to see if their risk level changes over time. The pentest result report should help you with this process.
When you're in a compliance situation, vulnerabilities may be seen as risks to security. In these cases, the risks need to be addressed, or you may choose to employ compensating controls when a fix is not possible.
Q: How much does a penetration test usually cost?
A: The cost of a penetration test is based on several factors, including:
- The scope of the project
- Size of the environment
- Quantity of systems
- Frequency of testing
It is important to have a meeting to determine the testing scope and develop a Statement of Work before the test is conducted.
In the best case, a pentest should be done on a fixed-fee basis, which helps you to avoid hidden or unexpected costs. The fee quoted should include all labor and required testing tools. You should avoid engaging a testing company that provides a statement of work that only gives you an estimate rather than a fixed cost.
However, at **Binary Brotherhood**, we are taking a different cost approach, making us probably one of the most affordable pentesting company at this point.
Q: How much time does a pentest take?
A: You'll need to ensure that enough time is reserved ahead of the test, which can be used for planning test activities. It's also helpful to add more time after the test is done, so the testing company has time to write up the report and for meetings and remediation discussions.
Generally, the larger or more complex the environment is, the more effort will be needed for the test.
Test duration, however, is controllable. In all instances, the test duration should be compressed to give the best results and view of the environment at a given point in time.
As barebone rule, a penetration test may take anywhere from one to four weeks. This includes the test itself, which can take one to two weeks.
Q: What is the difference between "ethical hacking" and other types of hackers and pentesting?
A: Ethical hackers are those who work legitimately to test your company's network. "Black Box testing" is a covert, unassisted test, while "white box testing" is assisted but non-covert testing. These are not strict designations but do know there are shades of gray between these various categories.
You should not put much store by these terms because they're generally used as marketing ploys. These designations should not be used to determine whether a team is qualified or not to conduct penetration tests. Instead, look for a company that has credentials for each team member on the project. They should also include information on each team member's experience, peer references (from those who have worked with them in the past), and that their approach/methodology is accepted in the industry. This is what you should look for when choosing a company for your penetration testing.
Q: How does scoping of the penetration tests work at your company?
A: Scoping a test is a structured process where you submit information about the target (including platform specifications, objectives, and instructions). We then use this information to create a team of pentesters who have the right skills to test your environment.
Q: Does your company do security testing for mobile apps?
A: Yes, as we said previously, we can cover all mobile platforms; however, we most often test iOS and Android apps. The tests are done using the latest frameworks and techniques, including reverse engineering and another custom tooling.
Q: Do you do security testing for APIs?
A: Yes, we understand that SaaS businesses have a heavy reliance on web APIs. As a result, we provide specialized great API pentests. We're able to test web apps, mobile apps, and external networks, making us a great fit for most online businesses.
Q: Do you perform security testing for networks?
A: Yes, we can conduct external networking testing. We usually do this for PCI testing or similar cases.
Q: What kinds of vulnerabilities do pentesters usually find?
A: Our pentesters find vulnerabilities of all types. However, they most often report vulnerabilities in a company's business logic, SSRF, Cross-Site Scripting, and other vulnerabilities that come into the OWASP Top 10 categories.
Q: Can I get the pentesters to test specific scenarios I am particularly worried about?
A: Yes, you'll have the opportunity to communicate directly with the test team. You can ensure they have the necessary knowledge to perform a high-quality test for those scenarios you're concerned about.
Q: Can I share my credentials (usernames + passwords) with the pentesters for authenticated testing?
A: Yes. In fact, most of the pentests we perform are on authenticated parts of a service, and we provide a secure way to share user credentials through the platform.
Q: I don't want tests to be run on my production environment. How can I avoid this?
A: Keep in mind that testing of production is recommended. Testing does not usually have a negative impact on systems. However, to avoid testing a production environment, it's best to set up a staging environment that includes sample data for security testing.
Q: How many requests will hit my site during testing?
A: During the test, pentesters may use automatic tools that check for different vectors to make sure you're being protected across various areas. The traffic and requests should be similar to normal traffic and requests your site typically experiences from regular site visits by a few users. The peak may reach 100Mbps (0.1Gbps) when running short, intense scans. However, most of the testing relies on manual techniques, which typically use an order of magnitude less.
Q: I want to specify off-peak times for penetration testing so my production environment does not go down when my users are most active. How can I do this?
A: The testing, in general, will not harm or interfere with your systems. However, if you'd like to establish specific times for the pentesters, you can include this information in the program description. In this way, you can specify when pentesters can be active in your production environment to run tests.
Q: Do I need approval from my cloud provider (AWS and others)?
A: The larger cloud providers (AWS, Azure, GCP) don't require prior notification of normal penetration testing. However, if you use a small provider, be sure to check with them, and we can supply the information they may need.
Q: Who are the pentesters?
A: We use a community of pentesters who are highly skilled and passionate about the work they do and who work to be at the top of their game. The hand-picked community includes security professionals who have years of experience and specialized skills. They are also dedicated to staying up to date with the latest vulnerabilities and exploits, along with the most current tools and methodologies to find these security issues.
Q: Can anyone become a pentester with your company?
A: Please check the Open positions section to understand our hiring process.
Q: How are pentesters rated?
A: Pentesters earn feedback on their performance and knowledge from companies they've worked within the past and from peers when working together on a security project. The feedback contributes to a pentester's overall quality score and vulnerability report ratings. This information is used to rate a pentester's performance on our platform. A hall of Fame will be available to the clients soon.
Q: What is a Pentester's Score?
A: The Pentester's Score is the pentester's overall performance on our platform. Values are determined on a variable scale, and we are using AD&D rules to scale it. Our people have a score, rank, and various badges that prove their skills and demand overall activity.
Q: What type of deliverables can I expect from your penetration tests?
A: You can expect both individual finding reports, including detailed information about each vulnerability. You'll also receive a full summary report, which describes the test and the findings at an executive level, which is the perfect report to share with stakeholders.
Q: Can I use your pentest reports for my sales process?
A: Yes, you can use our pentest reports to show your customers that you take security seriously. Our reports come in different detail levels, for instance, an attestation-style report to a full report with all finding details. So, you can decide exactly how much information to share with your customers.
Q: I need a pentest report as soon as possible, can you help me?
A: Yes, we're an agile company ready to take on-demand work. You can schedule a demo today, and we can get your testing started as soon as possible.
Q: Can I just get a simple report from your pentest?
A: In theory, yes, just get in touch, and we'll provide you with a sample report as a result of a quick discussion.
Q: How do you ensure report quality?
A: Our report quality is ensured by the QA team of Principal penetration testers with 10+ years of experience in the area, responsible for ensuring each finding and the entire report meets our high-quality expectations. Our Leads are highly experienced; in fact, the average professional experience of our Pentest Leads is about 11 years. Also, each member of the team is rated based on their report submissions. This provides accountability and transparency for our company to deliver consistent, strong results every time. Quality reports you can count on.
Q: If I don't completely understand a vulnerability report submitted by a pentester, can I communicate with the pentester directly?
A: Yes, in fact, we encourage this, as communication is essential. You can write comments and questions directly to the pentesters and ask them to clarify a specific report. It's also possible to write internal comments to your team to increase collaboration.
We also understand that pentest findings may not always be fixed right away. For this reason, we allow you to have direct communication with the pentesters for months after the pentest has been completed.
Q: Who can see the findings of my pentest?
A: Only team members who have been invited, along with the pentesters, are allowed to see the list of vulnerabilities reported. Our customer service and SecOps members will be able also to review vulnerabilities to support the pentest. All-access is visible and controllable within each pentest program's settings.
Q: Can a pentester publicly disclose vulnerabilities found on my site?
A: They can only do so with your permission. If a pentester wants to share this information publicly (either anonymously or not) to benefit the community, they need to request your permission and act according to your response.
Q: What security practices do company employees follow to prevent data leaks?
A: All of our employees are required to use strong, unique passwords and use 2-factor authentication with Google Authenticator or Authy where possible. Besides, our employees use password managers, screen-locking, and encrypt local hard drives to protect data. More information about our internal security practices can be found here Security policy
Q: Why should I choose Binary Brotherhood?
A: At Binary Brotherhood, we believe that penetration testing can be simultaneously more straightforward and uncomplicated than what it is right now. Dedicated to our clients' security, we offer Security-Skills-as-a-Service model, drawing on our combined years of experience to develop and deploy penetration testing methodologies that work. Our vision is singular: we want to keep you and your business safe so that you never need to worry about your security, confident that your systems are in good hands.
Q: How are you working?
A: At Binary Brotherhood, we strive to achieve simplicity, and that's why we have a checklist. In a nutshell:
- You get in touch with us
- We scope and send you the Statement-of-Work(SoW)
- You double-check, sign, and accept the terms
- We deploy the team and open a real-time communication channel
- At the end of the engagement, you are getting the report
- We will follow up with you
At Binary Brotherhood, we maintain a track record of quality for all our projects. As a quality-driven and performance company, we are focused on ALL our clients. "We say what we do, and do what we say" is the principle pervades through to every engagement and every delivered project. Every completed engagement allows us to analyze and assess our people's technical approach, execute project phases, and improve various execution sequences.
Q: What can you test?
A: Binary Brotherhood members are well known to have great experience and flexibility executing penetration tests of Web applications backed or not by APIs, mobile apps(iOS / Android), network infrastructure, and cloud premises. In the situation when you do have something more exotic that would need to be assessed, do not worry, send us an email or let's have a chat, and we are happy to see if we can help.
Q: Could you help us with the typical PCI, SOC-2 compliance?
A: Yes, we can. We are meeting the pentest requirements for most of the current compliance needs, as SOC-2, PCI-DSS(11.2 | 11.3), etc. Send us an email or call us to get more insight on this matter.
- PCI DSS requirement 11.2 - internal and external vulnerability scanning (quarterly)
- PCI DSS requirement 11.3 - external and internal penetration testing (annually and after any significant infrastructure or application upgrade or modification)
Q: Could you help us with testing our GDRP compliance?
A: Yes. We understand that the GDPR coming into effect in 2018 represented a big change in Data Protection Law. Failing in complying with the GDPR could lead to a €20 Million or 4% of your annual gross revenue fine. We can help you comply with the GDRP Article 32(1) policy instructs a business to execute regular Penetration Testing / Security Assessment against its infrastructure and web applications. Ultimately, let's have a chat and understand your current challenges in this space and how we can help.
Q: How is Binary Brotherhood different from conventional penetration test models?
A: Two highlights are making us be looking after alternative from conventional penetration testing models:
- We are global, meaning our vetted resources are located all over the world. Benefits wise this means more quality and low price for the service.
- We deliver the pentest experience through a transparent, collaborative approach with the testing team in conjunction with a couple of other unique features.
Q: Would the pentest imply a notable interference affecting our environment?
A: If the pentest is not planned correctly, and the service vendor does not have enough professional experience to understand the client's business context, it can be disruptive. This is why a Binary Brotherhood testing team consists only of high-end certified professionals with years of experience testing complex environments. Before commencing any testing, they are rechecking program details for inconsistencies.
Q: How can I contact your support team using PGP/GPG email encryption?
A: You can send encrypted emails to us by following the instructions below.
- Encrypt your message using plain-text PGP/GPG. Any files have to be encrypted before attaching them to the email.
- Ensure that you are encrypting the message using the contact[at]binarybrotherhood.io public key as this is the only key that we support.
- You can download the public PGP key by clicking here and then import it to your PGP/GPG program. Alternatively, you can copy the whole text, paste it into a text editor, save the file as a .asc file, and then import it into your PGP/GPG program.
Note: Be sure to copy the whole text starting from -----BEGIN PGP PUBLIC KEY BLOCK----- up to and including -----END PGP PUBLIC KEY BLOCK----- and import it to your PGP/GPG program.