Pentest Picture

Pentesting

Intrusion testing focuses on the technical aspects of security measures. During the analysis of the test results, the associated risks and potential causes of the vulnerabilities found are determined, both from the client's business perspective. The recommendations in the final report address not only the technical security aspects but also the management and development of other operational processes within the organization.


The primary goal of intrusion testing is to identify vulnerabilities present in electronic services. These can directly or indirectly lead to:

  • unauthorized access of systems and data unauthorized
  • use of systems and data
  • adversely affecting the availability of these services

Goals Pentest

The secondary goal is to determine the underlying causes of the vulnerabilities. These can often be traced back to:

  • causes in the applied technology, such as errors made during development and implementation, but also errors inherent to the applied technologies within the infrastructure
  • causes in management, for example incomplete management procedures or errors and/or shortcomings in the implementation of the procedures
  • causes in use, due to failure to comply with guidelines regarding the use of security measures.

Instruction Tests

The OSSTMM standard is followed for conducting an intrusion test, and a step-by-step plan is used. This standard guarantees minimal negative impact on the tested systems, objective execution of the test and weighting of the results, and a report containing clear and constructive recommendations.

It is also important to note that an Intrusion Test is an iterative process, which includes:

  • Passive tests, including:

    • Collecting information about reachable systems (via computer networks, telephone networks or wireless networks), network topologies used, active (network) services per system encountered;
    • Information about the customer and the techniques and resources used by the customer, including through targeted Google searches.

  • Active testing, which exploits potential vulnerabilities in information and operating systems, network services, procedures, design or configuration errors.

1 2

During all tests, the results are continuously analyzed to determine the cumulative impact of the vulnerabilities found in terms of risks and potential causes. Additionally, recommendations are formulated during the tests to eliminate the risks or reduce them to an acceptable level.

The components described below are primarily focused on testing a web application; for other applications, various aspects may be addressed differently. MKB SECURITY BV uses the OWASP framework as a guideline for testing web applications, ensuring sufficient guarantees for the completeness of the test. A key component of the OWASP framework is the OWASP top 10, which lists the most important vulnerabilities in a web application.

Report Pentest

Reporting and debriefing

Based on the results of the steps taken, a final report is prepared of the findings. The purpose of the report is to communicate the findings through a written report and an oral explanation.

The report contains the following elements:

  • Objectives, scope and depth;
  • Management summary and main conclusions and recommendations;
  • Detailed findings and recommendations from the tests;
  • Analysis of the possible causes of the vulnerabilities found or not found.

A debriefing with the designers and administrators is beneficial for understanding the vulnerabilities and recommendations identified. During this discussion, the recommendations can be further explained or the extent to which the target systems and administrators detected the steps taken can be investigated. This can lead to further recommendations for improving the measures for logging, alarm generation, and incident handling.