Penetration Testing - Web, API, Mobile & Infrastructure

Penetration testing is regularly used by organisations as part of their ongoing cyber security strategy/program. It is a security exercise that involves our ethical hacking team launching up to date real world attacks against either your infrastructure, web, and/or mobile applications. We report back on the findings and how to remediate any identified vulnerabilities, this will allow you to better understand your security gaps, current cyber security risk profile and practical steps for improvement.

Testing can be conducted either externally (as an outsider threat) and/or internally (as an insider threat) to help you in determining exactly how effective your existing system defence mechanisms are, and evaluating whether or not your organisation is following cyber security best practice.

Kaon Security have wide ranging experience with complex architecture designs, the latest attack techniques, exploits and security flaws. This allows us to combine complex penetration testing attacks with exclusive techniques to achieve better outcomes.

Depending on the test targets Kaon Security follow a custom methodology based on industry standards such as Penetration Testing Execution Standards (PTES), Open Source Security Testing Methodology Manual (OSSTMM), and Open Web Application Security Project (OWASP).

During the penetration testing exercise Kaon Security provides a unique real life simulated hacking campaign experience, the highly experienced penetration test team go beyond the point of initial access or security gap discovery, allowing us to locate additional hidden risks or threats.

Contact us to discuss your testing requirements.

See how one NSW council strengthened its security with our Penetration Testing service.

Types of Penetration Testing

Penetration testing is generally categorised into three primary testing approaches. In order to deliver the outcome you wish for we recommend discussing your key objectives, budget and time frame with our consultants who will work with you to identify the most suitable testing approach.

• White Box Penetration Testing: allows the team to carrying out extensive penetration testing because it is carried out from a position of full knowledge of the target, in many cases this includes a source code and architectural review. This approach is typically suited to scenarios where you wish to assess every aspect of compromise, whether originating from an internal, external, or privileged attacker.
• Grey Box Penetration Testing: allows the team to focus on areas we think may be of more risk to you, and value to a hacker, because it is carried out from a position of limited knowledge of the target. This approach is typically suited to scenarios where you wish to assess a combination of your defensive controls, their effectiveness, and the overall security weaknesses of the target, whether originating from an internal or external attacker.
• Black Box Penetration Testing: allows the team to enact an anonymous penetration test because it is carried out from a position of almost no knowledge of the target. However, unlike a real-life hacking campaign this exercise is limited to agreed time and budget constraints which therefore means it will be less comprehensive. This approach is typically suited to scenarios where you wish to assess your defensive controls and their effectiveness from an external attacker.

Furthermore, web application penetration testing includes options for either authenticated or unauthenticated testing:

• Authenticated: used for comprehensive test scenarios where our team are supplied with credentials to be able to extend the scope of testing to include complex tasks, such as verifying the impacts of different authentication levels and associated data security risks. This approach guarantees full testing coverage and is typically suited to scenarios where you wish to assess every aspect of compromise, whether originating from an internal, external or privileged attacker.
• Unauthenticated: used for basic test scenarios, this approach is typically suited to scenarios where you wish to assess only the public areas of your target.