A web site is key to any modern business, regardless of platform or media - It acts as a shop front, store, means of contact and so much more! Hundreds if not thousands of sites or domains are registered every day, and these sites become potential rich pickings for prospective attackers.
No matter what your business or website does, without the proper security measures put in place, your website can become compromised, taking your data or your customer information, infiltrating into your clients, or being used for bigger things such as an attack on other sites or businesses.
We specialise in the security and protection of web sites and applications and can carry out tests and suggest enhancements or implementations, which can prevent the site from future or existing security issues.
Obviously, nothing is completely infallible, and if a site is not tested regularly, other issues can occur which may lead to bigger and nastier things down the line.
We would recommend testing a website or application at least every year, or after any major changes to the layout, platform or operation, moving the hosting or employing a different management agency.
What do we test for?
When commissioned to do a Web Penetration Test, we check for all known vulnerabilities in the hosting, the website code itself, the database if any behind the scenes and the platform that the site is integrated into or the CMS (WordPress, Joomla, Drupal etc) in order to find where an exploit may lie, which could be taken over by a hacker or malicious operative.
Generally, we will leave no stone unturned to find out anything we can about the website or application and its security posture. Once we have completed the tests against the system, we will produce a report stipulating what we have found in an easy to understand way, giving recommendations of what to do to remediate the issues.
Once the remediation has been done, we would suggest a secondary test to check everything has been cleared up that needs to be and if anything else has occurred in the time between the tests.
Some of the remedial work, we can do for you, or it can be passed to whoever manages your site or application for further review. We are happy to work alongside third parties to complete the process, and would suggest that if you have someone who is managing the site or application, they are notified that we are conducting a Pen Test of the system, as they would at some level need to be involved.
What do we need?
First off, as with any Pen test, we need written permission from the owner of the site or application to be tested. A scoping document will be drawn out stipulating where and what is included in the test. Third parties will also need to be notified, and this is down to the site owner to gain permissions for the hosting company or provider of anything on the back end, where the site is hosted or managed. We would also strongly recommend backing up fully the site and any databases before we begin, just in case what we perform causes any issues – we don’t want to purposefully take the site down in the investigation, without having means of getting it back to where it was!
The Process
Once we have the signed paperwork, and a suitable backup, we can begin testing, and finding information about the site or application that would be useful for an attacker to know. When the information is gathered, we move onto the more active stage of pocking about the site itself, finding anything that could potentially be exploited by malicious activity. Once these holes are found and documented, we move on to finding means of attacking these vulnerabilities and of course documenting our procedures as we go.
When the testing is complete we will submit the report and go through with you any measures that need to be taken to improve the security of the site or application, as well as hardening up any infrastructure that needs attention in the process.
Disclaimer
*** Please be rest assured that we do not aim to cause harm to any site or application, and any exploitation we use or tools employed to carry out the checks will be removed on conclusion of the testing. We cannot however express more, how much a good backup should be made of any database, site, configuration, or application prior to performing testing, manipulation of data or the following remediation. Any loss or damage to any of these entities cannot and will not be held in our responsibility without suitable backup.
Remediation of any vulnerabilities found are at the discretion of the owner. If recommendations are not carried out or additional changes are made, and the system is attacked by a third party, then we would also not be liable for any loss or damage to the site and the employing companies’ data, reputation, or earnings.
We can only check for what is known at the time of the investigation. Should a newer vulnerability be discovered after the test, and we become aware of such, as our customer we will notify you if we think it may be applicable. However, if this newer vulnerability is exploited in your system, we cannot be responsible for its actions or consequences in an already tested environment.
If a Penetration Test discovers an already existent malicious body already in place, testing will stop immediately, and the owner will be informed. We will then work through to assist with removing the threat, before continuing further operations.
Following a test, we will encrypt and archive the findings and reports away for future reference only. We will not sell our findings to any other party, nor will we disclose the handled data with anyone other than the stakeholders to the employment of the testing. By request this information can be destroyed. Any referenced material for further testing or non-stakeholders in the procedures will be anonymised.