Penetration Testing Assessments

Infrastructure and Network Penetration Testing

Peritus has the capability to conduct internal or external infrastructure penetration tests on all IP addresses linked to your organisation, location, or service (e.g., remote access via a VPN or web application).

By conducting unauthenticated external testing services, Peritus can identify the publicly accessible information and services. The initial phase involves identifying public services and examining the application to detect vulnerabilities. This includes scrutinizing services on public IP addresses such as Citrix, FTP servers, and VPN access for remote infrastructure administration. The assessment may also involve checking web services for OWASP top ten vulnerabilities on any publicly accessible pages, like login pages.

For an internal penetration test, Peritus can replicate potential threats within your internal network to evaluate the risks and impact on your organisation. Peritus can conduct authenticated or unauthenticated penetration tests on your internal network, review firewall rules, assess wireless networks, conduct segmentation testing, and collaborate with you to create a customised solution.

Web Application Penetration Testing

Peritus offers a web app pentration testing service that includes a security review to evaluate the web application from an authenticated standpoint. This type of test, akin to ethical hacking, aims to scrutinize the architecture, design, and setup of web applications. The assessment involves reviewing each page of the website to detect any potential vulnerabilities. Notably, the penetration test identifies common web vulnerabilities, such as OWASP top 10, using recognized methodologies like the OWASP Web Security Testing Guide (WSTG) and the OWASP Application Security Verification Standard (ASVS). Additionally, if necessary, the web application test can adhere to the CREST OWASP Verification Standard (OVS) framework. In cases where the application has multiple access levels (e.g., administrator and standard users), Peritus conducts tests to ensure that each level can access only information within their authorised privilege or tenant.

Cloud Penetration Testing

In addition to our on-premise testing services, Peritus offers cloud penetration testing services that encompass various deployment types, such as:

• AWS penetration testing along with other Cloud platforms such as Microsoft Azure, Google Cloud Platform (GCP)

• Cloud deployment models such as individually managed virtual machines (e.g., AWS EC2), automated deployments and configuration (e.g., puppet, chef or terraform), cloud services (e.g., Azure App Service, AWS Lambda) or container solutions (Kubernetes and Docker).

Peritus is capable of conducting a variety of penetration tests, from external unauthenticated assessments to security configuration reviews. For instance, a test could involve examining the publicly accessible IP addresses of a service, evaluating the configurations of key web and database components by running a CIS benchmark against them, and providing a high-level assessment of the entire cloud platform account. If the cloud infrastructure is interconnected with on-premise systems, Peritus can combine this with internal testing.

Mobile Application Penetration Testing

Peritus offers mobile app penetration testing services for apps deployed on Apple IOS or Android devices. The review aims to uncover vulnerabilities in the app to assess potential risks posed by malicious users. Peritus recommends testing based on the OWASP Mobile Application Security Verification Standard (MASVS), which includes Medium Risk (Level 1) and High Risk (Level 2) security verification levels. These levels focus on key security concerns like data storage, privacy, authentication, and network communications. Additionally, Peritus can conduct tests under the CREST OVS framework if needed.

Business-led Penetration Testing

Peritus offers specialised business-led penetration testing services in addition to traditional compliance-based tests. These tailored tests aim to tackle the specific issues and risks unique to your organisation.

Here are some examples of the issues Peritus delves into:

• Unauthorised Access Assessment: Identifying if external attackers can access sensitive client or financial records to evaluate your organization's critical information assets.

• Phishing Vulnerability Evaluation: Focusing on potential consequences if your organization falls victim to a phishing attack, including attacker capabilities, risks, and data breaches.

• Administrative Access Control Review: Scrutinising IT administration privileges to ensure appropriate access levels and secure admin accounts from regular accounts.

During these tests, Peritus integrates advanced technology-based methods aligned with your objectives. This approach offers assurance and valuable insights into your organisation's security stance, addressing specific security challenges and risks effectively.