You are here: Penetration Testing Overview > Penetration Testing Services

Penetration Testing

Here at Corsaire we can help you with everything you need to know about Penetration Testing. Our advanced penetration tests are a fundamental part of your organisational risk-management process, whereby we examine the resilience of your security to identify vulnerabilities and weaknesses in systems such as networks, software, apps or websites.

Why is it called penetration testing?

Much of the confusion surrounding penetration testing comes from the fact it is still a relatively recent and rapidly evolving field. On top of this, many organisations have their own internal terminology (one man's penetration test is another's vulnerability scan, systems audit or security assessment).

The term "penetration testing" itself is actually an old military term, which in turn became a security industry buzzword. There was a time when it was used to mean something quite specific, but these days it is commonly used by customers to refer to just about any type of security testing. We won't be bucking the trend either; part of the beauty of the English language is the way it evolves and changes with time!


What is penetration testing?

Penetration testing is a part of the organisational risk-management process, whereby risks are systematically identified and addressed. If you are not already familiar with classic risk terminology: an asset is something you value; a threat is something that can affect your asset; a vulnerability is something that increases the likelihood that the threat will occur; and a control is something that will improve the situation, by preventing, detecting or otherwise reducing the impact of a threat. So, as an example: an asset might be your kitchen; a threat might be a fire; a vulnerability would be storing napalm in the kitchen; and a control might be installing a fire extinguisher.

When it comes to a penetration test, the goal of the exercise is simply to find all of the security vulnerabilities that exist in the systems being tested. In this case, a vulnerability is anything that increases the likelihood of an attacker disrupting, or gaining unauthorised access to a system and any data contained within it. In practice, the most common vulnerabilities tend to be design flaws, configuration errors, and software bugs. These get introduced during development and implementation, and once identified by the pen test, they can usually be quickly resolved by a little re-engineering.

The term "penetration testing" itself is actually an old military term, which in turn became a security industry buzzword. There was a time when it was used to mean something quite specific, but these days it is commonly used by customers to refer to just about any type of security testing. We won't be bucking the trend either; part of the beauty of the English language is the way it evolves and changes with time!


What value do I get from a Penetration Test?

At its most basic, a penetration test will produce a list of vulnerabilities which will allow you to plan and prioritise any improvements to the way you process and store your data, and thereby reduce your organisational risk. However, whilst this is valuable in itself, there is a lot of additional value that lies elsewhere. Through showing a commitment to a responsible process, you build trust with your clients, partners and regulating bodies that you take your security obligations seriously.


Must I have a penetration test?

For some organisations choosing to have a penetration test will be a matter of preference and down to their appetite for quantifying their risks. However, for other organisations it will be a mandatory requirement, due to one of the following reasons:

- Some industries and types of data are regulated and must be handled securely (like the financial sector, or government, medical, personal or credit-card data). In this case your regulator will insist on a pen test as part of a certification process;

- Your organisation may maintain a quality accreditation, like ISO27001, which will require regular security testing to retain the certification;

You may be a product vendor (like a web developer) and your client may be regulated or accredited, and so will ask you to have a penetration test performed on their behalf.


What can be tested?

- Off-the-shelf products such as servers, smart phones, firewalls and routers.
- Bespoke software development such as web sites, mobile applications and games.
- Telephone equipment such as exchanges, smartphones, VOIP and fax servers.
- Wireless systems such as WIFI networks, RFID tokens, and contactless cash.
- Physical protection such as CCTV, door entry systems and mechanical locks.


What should be tested?

Your organisation should already have a risk management process, and so will be aware of your main threats (such as communications failure, e-commerce failure, or loss of confidential information, etc.). In which case, you can now simply use a penetration test to identify any vulnerabilities that are related to these threats.

Sometimes, however the 'what' will be defined by your particular circumstances. It may be that a customer is asking you to provide independent proof that your product is trustworthy, before placing an order. Or sometimes the 'what' of the process may be dictated by the regulations that your organisation is required to comply with. For example, the PCI-DSS credit-card handling standard requires that all the components that store or process card-holder data are tested.


Are there any penetration testing certifications?

There is a collection of organisations that provide standards and certifications for both the individual consultants and the vendors that deliver penetration testing. Like most things though, certifications don't tell the whole story: experience and approach are far more relevant than a piece of paper in the real world. For example, everyone who drives a car is required to have a driving license; but just because they do, it doesn't mean they will be a good driver.

In the UK, the main certification schemes are Check, CREST and Tiger, which are all broadly equivalent as far as the level of knowledge required for a consultant to gain an accreditation.


Why Corsaire for Penetration Testing

Corsaire was formed eighteen years ago, in 1997, as one of the first independent security specialists, and since this time has been providing best-in-class security testing services to clients, around the globe.

Over the years, we have helped shape many of the prevailing security standards that are now taken for granted. So, as you would expect, our approach to security testing meets and exceeds all the common standards and accreditations, such as OSSTMM, OWASP, CHECK, CREST and Tiger.

Whilst the heart of what we do is deeply technical, the way that we deliver it is firmly rooted in the values of the previous century. Personal service, quality and flexibility distinguish the way that we do business.

Our distinctive approach is apparent in everything we do, and we are resolutely proud of our culture. Like artisans of old, we believe that the measure of our worth will only be found in the quality of our workmanship, which should always speak for itself.


What value do I get from a Penetration Test?

A Corsaire penetration test will produce a list of vulnerabilities and remediation steps/guidance which will enable you to plan and prioritise any improvements to the way you process and store your data, and thereby reduce your organisational risk.

From a commercial perspective, a penetration test can help close new business opportunities. If your customers are regulated, they may in turn need you to show that your product(s) or environment are security tested regularly. Being able to demonstrate this as part of your negotiations may be critical to you receiving the order.


What next?

If you would like more information on penetration testing, a free no-obligation discussion with one of our team, get in touch.

Request Penetration Testing Information

Enter your details and we'll be in touch.