Penetration Testing as a Service

Extend the value of a penetration test into a series to account for your solution’s development

Comprehensive penetration tests are invaluable to evaluating the security posture of a solution at one particular snapshot in time, but solutions, such as web applications, mobile applications and internet facing services are constantly evolving. A Penetration Test as a Service, (PTaaS) by Improsec fills the gap between annual or semiannual scheduled comprehensive penetration tests by extending the value of a penetration test into a series to synchronize with your solution’s development.

PTaaS is flexible and scalable depending on your organization’s situation and needs. It includes at a minimum, a comprehensive initial penetration test as well as follow-up penetration tests during the year.

The follow-up tests are scheduled in accordance with the development plan (monthly tests are most typical). All tests in the service are conducted by the same dedicated team of security consultants who benefit from continual knowledge of your solution’s development and the company's needs. With each follow-up test, we will determine the solution’s security’s evolution by searching for new or additional vulnerabilities, checking for changes, reviewing fixes made, and providing new recommendations in a written report. 

The service concludes with a final report of all tests, including an executive summary, both technical and non-technical, recommendations, and findings.

Learn more about Improsec’s other penetration test services including Internal Penetration Tests and External Penetration Tests.          

Product

The deliverables of the PTaaS include a written report following each penetration test and a final written status-of-the-year report. The reports include:

  • A non-technical section with an executive summary for managers and decision-makers.

  • A technical section including detailed observations and tangible recommendations to improve the security level and hardening of the solution.

  • An overview of the test plan and a description of the process of all tests.

  • A non-technical section summarizing and describing the verified remediated observations.

Value

This service will help you plan your journey and find the answers to questions like:

  • Continuous identifications of vulnerabilities in a solution and its resilience to cyber attacks

  • Continuous verification of  remediated vulnerabilities

  • Continuous  recommendations on how to strengthen the level of security

  • Ongoing follow-up testing performed by the same testing team

  • Improve your development by integrating the penetration tests into your web development processes

Method

Our methodology is based on our extensive experience in security testing of web applications and is further supported by the OWASP framework and NIST guidelines for security testing. The methodology is specifically made for web application testing and covers areas such as:

Information Exposure, Configuration and Deployment Management, Identity Management, Authentication Mechanisms, Authorization Mechanisms, Session Management, Input Validation, Error Handling, Cryptography, Business Logic, Client-Side and Attack Vectors.

The tests are performed as a combination of creative manual test actions and automated scans.

Involvement

The penetration tests require minimal involvement of your technical staff, but some follow-up involvements are to be expected.