Thinking of getting a pentest? Here's a quick summary of the process.
After you’ve made a decision about the projects we’ll work on together, we will generate some documents for you using Docusign, these will be:
- Framework agreement - this is the contract between us which lists items including payment terms. It only needs your agreement and signature at the bottom.
- Penetration Testing Scope - this is the document which lists the requirements for security testing and scope, we will fill in as much of this as we can and can assist you with filling in the remainder.
When these documents are completed we will issue an invoice and contact you to arrange access to your environment and the application. When you have agreed upon a Work Package that suits your needs, we will follow a standard path for the testing to take place and engage with yourself and the development teams as required.
1. Acquire Credentials and Access
Depending on the work package, we may require different credentials and access to your code or infrastructure. Normally these include the following:
- Code Analysis:
- Infrastructure Testing:
- API Testing:
- API Keys
- API Paths
- Web Platform:
- Standard user login details
- Administrator user login details
- Whitelist VSL IP
2. Start Date
As we all know, development can take on many forms and often runs behind schedule as unforeseen issues occur. We will do our best to remain flexible and ensure that you are happy with your platform before testing commences.Once a date has been agreed and credentials have been provided, we will give you a heads up before proceeding after which we will begin work.Depending on your requirements, we may schedule a progress call for halfway through the testing process to update you on how the testing is going.
3. Complete the Security Report
Once our testing is finished and we are happy with the findings. You will receive a security report per work package purchased. Within the report you will find executive summaries, as well as in-depth analysis of each vulnerability discovered and recommendations on how to improve them and minimise the attack vector of your platform. The security report is yours to do as you wish. It is often shared with team leads and developers to issue the fixes right away depending on their urgency.If required we can provide an additional report for board level meetings, with executive summaries explaining the overall impact on your product/platform and what is required of you in the next steps.
4. Review the Security Report
Once issued, we will give you some time to review the report and our findings, discuss with the development teams and create a plan of engagement for the changes to be made. We are happy to arrange calls and keep communicating back and forth for any clarification required or just a walkthrough of the report.
5. Issuing the Fixes and Re-test of the platform
After the issues have been addressed and fixes provided to the platform, we will await your e-mail to engage and arrange a re-test of the platform. During a re-test the previously discovered issues will be pinpointed and verified if their vulnerabilities have been patched, but also provide an overview of the platform as a whole to potentially identify any new issues which may arise throughout development and introducing new features.
6. The Grand Finale
After re-testing takes place, we provide an executive summary stating that critical/high/low vulnerabilities discovered (or lack of) and if they have been addressed promptly and did not pose a risk to customer information at any time (if true). Normally this summary is compared against OWASP Top 10 with a small statement from ourselves.
These summaries are often used for board level meetings and also for clients who request them to ensure that your platform is “up to scratch” with modern standards. At the end of testing - if successful and the issues have been addressed in a timely manner, we will also provide a certificate of completion to validate the work carried out by ourselves and satisfaction with the protections put in place.
Or send us a quick message