imagelogo
> Pen tests
contact

Penetration tests

bullet Intrusive audit

Penetration tests (or pen tests) consist in behaving like a hacker, trying to find potential failures of an information system and to make a real-time intrusion in a system.
Multiple options are available for a pen test. The first one is the kind of access our engineers will have on your infrastructure:

  • External audit
  • Internal audit

    • An external audit is a simulation of outside attackers that are trying to get access to our information system through the visible part of it (websites, remote access, mail servers, ...). It is well known that 70% of the attacks are inside jobs. This is why we are offering internal pen tests. In this case, our people will either have an access to one of your workstations or to your network with one of our laptops.

    The second choice you will have to make is related to the level of knowledge that will be given to our engineers:

  • whitebox audit
  • blackbox audit
  • greybox audit

    • In the first case our people will have the same level of information as your IT staff. If the pen test is done in a blackbox mode they will have no prior knowledge of your infrastructure except the one publicly available. In special cases, a third option can be chosen: greybox mode. In this case, our engineers will start in blackbox but as they gain access, they will be provided with information in order to probe specifics targets.
    Thus, a pen test requires a very high level of technical skills in order to generate a credible result. The SCRT team feels comfortable with the latest hacking practices and has a strong experience in software and applications security audits. The target of an intrusion test is, above all, to give you an advice aiming at improving your security level.

     

    bullet Semi-automated non-intrusive audit

    This kind of audit is not done directly on the network of the customer but on its relevant functions, which the audit will have highlighted.

    Advantage of this method : the network of the customer is undisturbed by the audit and remains 100% available. The configuration changes are taken into account at once. We can map on the simulation model (change of OS version, ...). We can change the source on the vulnerabilities side as well as on the setup dump side. The modelling language stays equal, the audits are thus consistent.


    bullet Application audit and code audit

    As 80% of safety failures happen because of errors (or lacks of memory) while applications are developed, it is very important to write strong and robust codes, especially when the applications work on Internet (Web sites, extranet, VPN, ...). Thanks to our engineers, experts in most of the current languages, and to the tools we have developed, we are able to certify the code of most of the applications. Manyincidents also occur because of manipulation errors or breakdowns. Those points are also checked in the software tools approach.

    bullet SAP audit

    With SAP tools (AIS) or with open source tools like Saphyto, SCRT conduct SAP audits. Here are some typical verification steps :

    • Installed Hot Packages
    • Password security policy
    • Password forbidden words
    • Users with developement authorizations
    • Default users
    • Blocked users
    • Inative users for more than N days
    • Users with unrestricted access to transactions
    • Users with powerful profiles
    • Direct access to database tables
    • RFC security


    

    Hacking keyboard 
    
    		

    
    

    
    		

    

    


    


    
Ethical Hacking

    
    

    
    		

    
    

    
    		
cronertopright

    

    
 

    

    
cornerbottomleft