The purpose of penetration testing is to identify vulnerabilities in your systems so that you don't have to worry about security of your data. We use the same techniques as real hackers and therefore test your systems against real world attacks. Result of every penetration test is a written report with identified issues together with our recommendations on how to fix them.
Types of testing
Web Penetration Test
This is a manual penetration testing of web applications fortified by usage of industry-standard tools. The tests are performed in accordance with the OWASP (Open Web Application Security Project) methodology.
Infrastructure Penetration Test
The penetration testing of infrastructure and systems also uses industry-standard tools together with manual testing of our experts. The tests are performed in accordance with the PTES methodology.
Only subjects concerning Masaryk University are tested. The testing of private websites and public entities are not performed within the CSIRT-MU.
The testing itself can take up to one week. We also need a few days to complete written report. In case of retest we also need another week plus a few days for final report.
First we have to agree on conducting the penetration test. In this phase we collect all the information we need to start testing - what addresses are part of testing, what parts of system are out of scope, what should we aim for or if the objectives are up to us etc.
2. Penetration test
In this phase the actual penetration testing can begin. If we find anything critical that cannot wait for the report, we will contact you. Otherwise, you won't know about the testing for the whole week (hopefully).
3. Initial report
After the testing is done, we write a report with all our findings, their level of importance and our recommendations on how to fix them/avoid them in the future. The report consists of both high level information about identified vulnerabilities and low level technical details for your developers and administrators.
We give you some time for fixing the issues and after some time we perform another test to check if the issues are really fixed. During this phase other issues might come up.
5. Final report
After all is done and retested, you get the final report with all the issues.