An automated scan uses a vulnerability scanner (such as Acunetix, Netsparker, Nessus or Qualys) to identify common vulnerabilities in systems and web applications. At the end of each scan, a report is generated automatically that details the issues identified during the scan. This often includes a number of false positives and potential vulnerabilities, since the issues are not manually verified. The reports include generalised risk ratings that do not take into account the system design, the nature of the application and business logic.
A penetration test is a largely manual process that involves multiple phases and is carried out by a security professional. Although it may include the use of automated software, especially in the preliminary phases of the test, a penetration test cannot be entirely automated. The process will be customised to meet client requirements and to take account of the systems under test. All identified vulnerabilities are verified to remove false positives and are exploited to demonstrate the real risks and impact of an attack. The resulting report includes a management summary, as well as detailed information on each vulnerability, its risk rating, and mitigation advice. Post-test discussions ensure the results and recommendations are fully understood.
|Area||Automated Scan||Penetration Test|
Blind Testing: If you would like us to test your firewall as if we were “real” hackers, then you should tell us nothing at all about your installation. This means we have to perform a good deal of under-cover work in approaching the hack in the same way a criminal would, using social engineering and even physical break-ins.
Informed Testing: We sign a non-disclosure agreement with your organisation and you give us details of your firewall solution – the overall design, the IP addresses, and so on. We are then able to run a variety of tests against your firewall defence, using exploits appropriate to the devices and products actually in use. This gives a thorough and cost-effective result.
Unless you specifically instruct us otherwise, we use a combination of professional, commercial tools and those that are used by the hacking community to conduct the tests. This ensures that we expose as many vulnerabilities as possible whilst also helping to identify possible false positives – as well as false negatives.
We pride ourselves in being with you every step of the way in securing your infrastructure from attack.