Frequently Asked Questions!

We have documented frequently asked questions about our Penetration Testing Software. If you cannot find the answer to your questions, please do get in touch directly. We’ll be happy to help.

What is penetration testing ?

A penetration test, also known as a pen test, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities.

Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.

Why would anyone hack my website ?

Today, most of the attacks are targeted against popular software and not against a specific company or website.

Attackers use automated tools to target common vulnerabilities and by gaining access to the site they redirect traffic for monetary purposes, create back-links or send out spam. In some scenarios, they even infect the site malware which may be harmful for the site visitors.

What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan is performed by a pre-configured computer program that evaluates your network and applications for vulnerabilities, and produces a report. This report will contain false positives and require interpretation. Vulnerability scanners are good at finding known vulnerabilities but are not very good at identifying logical faults, and often fail to find serious security flaws in custom coded applications. Vulnerability scanning is included with all penetration tests from Secuaudit, but the primary focus of the penetration test is intensive manual testing by our experienced penetration testing engineers.

Against which threats and vulnerabilities does Secuaudit protect?

Secuaudit protects your site from a broad range of attacks, exploits, and other malicious activity targeted at your web site: everything from the most common SQL injection, XSS, XXE , LFI  and DDoS attacks, to platform-specific vulnerabilities discovered just minutes earlier.

How long will the test take?

This is an impossible question to answer, although accurate estimates can normally be made for a specific project based on previous experience. Testers may quickly find a number of serious, exploitable issues or may spend a considerable amount of time attempting to exploit an obscure anomaly in a particular web page. What’s really important is that the client is kept abreast of the test progress and immediately alerted of any high-risk issues, problems or other potential issues that could affect project delivery.

Can a penetration test break my system ?

Our penetration testing methodology is specifically designed to mitigate data loss, downtime and risks to our customers. In cases where exploiting a vulnerability carries a risk to the system, we will document the vulnerability, and report it to the client, but will not pursue the exploit unless our customer asks us to do so.

What happens after Secuaudit detects vulnerabilities on my network?

Secuaudit SAAS provides a detailed report outlining each vulnerability, including: The vulnerable host(s), Operating system weaknesses, Level of security risk of the vulnerability, Description of the vulnerability, Recommendation for correcting the problem.

Should we fix all of the vulnerabilities that are reported?

All vulnerabilities should be “addressed”. For any identified issue there will be a degree of risk associated with the finding. We attempt to apply as much relevant context to each finding, and certainly high-risk issues should be addressed in an expedient manner. Sometimes there are a large number of findings, particularly when automated vulnerability scans are run as part of the penetration test. Once you receive all of your reports, a mitigation plan should be put in place, and each of the reported vulnerabilities should be addressed as part of the plan. For any vulnerability there are only 5 possible ways to address the issue: (1) Apply a vendor patch, (2) reconfigure a piece of software, (3) turn the affected service or server off, (4) apply a mitigating control (such as a firewall) to reduce risk or (5) simply choose to accept the risk (which in some cases might be a perfectly reasonable option).

What will I see in my system logs?

Firewall logs will likely show a large number of connection requests on odd port numbers, this will be part of the initial port scanning. Web servers and application logs will show large numbers of 404 file not found errors, associated with a large number of strange looking URLs. It’s quite common for even a basic URL scan to generate in excess of 20,000 requests, so don’t be too alarmed. Intrusion Detection/Prevention systems should provide a number of alerts on various attack attempts being attempted. The tester’s IP addresses should be supplied to the client upon request in order to differentiate between the legitimate test and other potential attacks.

Client Testimonials