Frequently Asked Questions on pentest

Here are questions that are the most regularly asked. For any other enquiry or information, feel free to contact us.

GENERAL QUESTIONS

The answer is different for each company, depending on its activity field and its ‘attractiveness’ for attackers.
For highly sensitive activities, it is recommended to run regularly pentests, several times per year. The idea is to test the latest method of attacks.
For less sensitive activities, it is recommended to realize a pentest for each new version or each addition of main features.
Any website can experience cyberattacks, including those which don’t have any sensitive data.
Hackers’ motivations can be to train themselves, to take control of your server to host a malicious website or to make it a source of profit, or just to have fun.
Wordpress sites are for instance among the most hacked websites. Some attacks are automated on a large scale on tens of thousands of websites, and victims are not precisely targeted.
It all depends on the scope to test and on the deepness of the tests wanted.
Exhaustive tests will logically demand more time and consequently a higher budget.
You can go to our Rates page to have more precise elements.
Scanner software enables to run automatic security analysis. They detect a certain number of recorded flaws. It is a first level of security.
A pentest consists in manual and semi-automated tests. Each security audit is made-to-measure, according to your technical and functional architecture.
Penetration testing detects flaws that are not visible for scanners (like logic vulnerabilities). They also enable a deeper analysis by exploiting the flaws found, in order to assess their impact.
To know more about their features and respective advantages of scanners and pentests, you can read this article What does a penetration test vs. a vulnerability scanner bring?
Running a pentest means choosing a structured approach. Systematic research of vulnerabilities with a well-established methodology makes it possible to cover all parts of the exposed system. The audit has a beginning and an ending date, which are planned. It can then be repeated on a regular basis. The client company has a contact person with whom they can discuss, on the flaws, on the corrections to put in place and on the specific risks related to its activity.
To know more in order to choose according to your needs, you can read the article ‘Pentest vs. Bug Bounty.’

QUESTIONS ABOUT THE PROCESS OF A PENTEST

Being a pentester (security consultant) is a profession which involves knowing several languages, to be able to test them.
Besides, many flaws are not related to one specific technology but do exist in most languages.
For any test inquiries about a precise technology, do not hesitate to contact us.
On one side, it can be useful to do a functional demonstration of a solution, in order that pentesters have a better understanding of how a complex business product works. This is interesting for in-depth audits and enables to test more in detail the business logic of the solution.
On the other side, not presenting how the solution works leads to performing the pentest in similar conditions to a real attack; pentesters assessing priority attacks according to the elements they discover along the audit.
It is therefore a choice to do depending on your objectives.
There isn’t one good answer, as it is to be determined according to your priorities.
On the one hand, conducting a pentest on the pre-production environment is interesting, as it is very similar to the final environment, and tests will not affect the services used by your users/clients.v On the other hand, realizing a penetration test on the production environment has the advantage to be done under the real condition of use of your product, with the last developments in place.
It is totally technically possible to test your resistance to denial of service attacks during a pentest. If you wish it, DoS attacks will be launched.
Simulating a DoS attack during a security audit allows detecting vulnerabilities at the configuration or application level, which do not depend on the hosting provider.
Vaadata presents a complete report audit which specifies what has been tested, how it was tested, which flaws were found, as well as how to exploit them.
The report includes screen captures, extracts of stolen data and scenarios for replaying attacks.
The report audit contains technical suggestions of remedial measures. The corrections to be applied are detailed flaw by flaw, which is a result that can be directly used by developers.
Vaadata does not correct the identified flaws and let your technical teams do the remediation.
Vaadata offers to verify that the remediation has been implemented correctly without creating negative effects on other elements.

QUESTIONS ABOUT PENTEST CONFIDENTIALITY

Confidential information that Vaadata might encounter during a pentest is neither collected nor stored. Elements are only transmitted anonymously in the audit report to explain the vulnerability found.
In addition, audit reports are kept by Vaadata only for a limited period of time.
« Hacking » is a general term for a number of various techniques that exploit hardware or human vulnerabilities in information technology. Hacker can be used for benevolent or malicious purposes.
Beyond declarations of intention, Vaadata’s activity is within a legal framework. We intervene only at your request, after a contract and a test authorization have been signed. Your host is informed of our tests, which are performed from one single IP address that is used to identify their place of origin.
Contact us