Le Test de Sécurité Externe (TSE) consiste à éprouver la résistance de votre application métier, application web, Système d’Information (SI), ou infrastructure externe exposé sur l’Internet, face à une menace externe. En essayant de compromettre votre plateforme, nos experts en sécurité informatique repèrent ses vulnérabilités et vous donnent les clés pour les corriger. Vous pouvez ainsi sécuriser votre système, exactement là où il en a besoin.
Vulnerability testing: stay a step ahead of the hackers
IT vulnerabilities are commonplace and an integral part of the Web market. Furthermore, with companies’ digital transformation, the advent of the cloud, the proliferation of applications and SaaS services resulting in an increasing number of interconnections, the risks just keep growing. Hackers have more and more opportunities and entry points to exploit to compromise your information system.
Even if IT security is incorporated from the design phase of a project onwards, you cannot be certain that everything has been considered: no one is infallible. Penetration testing verifies the effectiveness of your final platform’s security under operational conditions. If you are aware of your weaknesses, you can correct them and improve your business’s security.
Penetration testing: real conditions for optimal protection
The external penetration test (or External Security Test) tests the security of your information system, business application or web platform against external threats.
The goal of the first step of this test is to define the scope of the mission.
Our sales and technical teams will work with you to define the outlines of the project (scope of the mission, performance targets, resource targets, planning, and so on), according to the risks that weigh on your business, your stakes and your production constraints. Once this has been formalised in a contract, our team of security consultants will be able to begin the penetration test.
Performance of the service and delivery of the results
Our IT security experts put themselves in a hacker’s shoes and attempt to penetrate the platform you want to test using all means possible.
They try to compromise your system by looking for flaws in the same way as a hacker would. They then use these flaws to infiltrate your system as deeply as they can up to the point of obtaining sensitive data or taking control of your system, if possible.
Our experts document their actions progressively and then provide you with a report explaining how they managed to find and exploit your vulnerabilities. This information comes with recommendations for corrective actions to implement to address the flaws. Your application, website or information system is protected against the worst attacks identified by our “good guy hackers”!
Our experts are also available to assist you in implementing the recommended corrective actions.
Of course, unlike a hacker, our experts will not exploit the flaws they find in your systems outside the context of this penetration test and will not keep any data they may have retrieved. All the data collected is returned to you at the same time as the final report, and these two elements, which are both strictly confidential, are only shared between the project leads in your company and the Net4All security team.
Security testing: two methods for two goals
There are two methods for carrying out an external penetration test corresponding to two different needs.
Black box testing
A black box penetration test is a blind test. Our experts have no information on the scope that you wish to test and operate as malicious third parties who target your site in an opportunistic manner. These tests may require a lot of time and may not always be exhaustive since the experts have to test the numerous existing methods.
Grey box testing
During a grey box penetration test, our experts have some information concerning your system, such as its internal mechanisms, for example, or benefit from access to your application through a user account. This enables them to focus their investigation on the risks that weigh on your business and to go further while maintaining a realistic approach since this information could easily have been retrieved by a hacker.
For example, this type of penetration test may be suitable for file servers, a VPN connection or any service that can be accessed by a user via authentication to attain an initial level of permissions.
When should this type of audit be put in place?
Throughout an IT project’s life!
The hacking market changes rapidly, and numerous flaws are discovered every day; therefore, it is important to test your system regularly (every 1 to 3 years).
However, certain moments in a project’s life are more critical and conducive to implementing this type of penetration test than others. Here are a few non-exhaustive examples:
- During an IT project’s acceptance test phase, during the build phase and before its production launch
- During each major update, use of a new network protocol, major code modification, addition of a new plugin, and so on, which can create new flaws in a totally invisible way
- After a suspected information leak/hacking incident or the detection of a suspicious event
Where is the penetration test performed?
Since the goal of the External Security Test is to identify your system’s exposure to the risk of external hacking, these penetration tests are generally performed from our offices.
If for your own reasons, you would like our experts to come to your company’s premises during the test period, we will examine this request in accordance with the scope of the mission to be carried out.
Do you need to test your information system?