During a penetration test, we analyze your application from an adversarials perspective. We first threat model your application. Here, we come up with all the ways we can harm your application or your users as well as how we would attempt to do that. Next, we try to materialize the potential harm we identified during the threat model.
A penetration test can be specific or broad depending on what you wish to test. For example, you may have a suspicion that a particular part of your application is vulnerable to a specific vulnerability class. This can be in case you have identified a vulnerability class in your application for the first time, and you want to assert whether it is a general problem and other parts of your application are vulnerable to the same vulnerability class. Another motivation to conduct a penetration test is to get an outsiders perspective and look for unknown security issues and risks in your application. Sometimes you work so hard to secure your application against a particular set of risks, and because of that it is almost easier for an adversary to identify the next obvious entrypoints to your application. Whichever you choose, we can help, and we have carried similar audits in the past. Ada Logics has audited software packages that are 20 years old, that run the worlds software and that likely have had thousands of hours of security scrutiny, and we have audited new projects where the customers were interested in high impact security hardening for young software projects.
A penetration test can often with increased outcome be combined with a source code audit where we can both run your software as you do in production and we can audit the source code. If you are planning a penetration test, we highly recommend this approach. Hiding the source code - in other words “security by obscurity” - is often not an adequate security mechanism, and giving us - the adversary - as much insight into your application will yield the highest results for you.
A skilled attacker can see where you have hardened your application and where you haven’t. Often, the more you have worked on securing one part of your application, the clearer it becomes for an adversary to find the weak spots that you haven’t hardened. A penetration test can be a great process to explore where an adversary can break into your application, and you can explore the ways in which you have not secured your application.
We are available for yearly penetration tests. Code changes over time, and vulnerabilities get introduced. Catch them with yearly checkups. Alternatively, a yearly penetration test helps your eradicate easily-exploitable bugs and find deeper security issues.
