Senior Penetration tester. Several years of experience of professional practice.
Graduated from Berlin School of Economics and Law in "International economics".
WebSec will agree on a fixed price with the client for a full pentest. When choosing this model WebSec will deliver more results, detailed proof-of-concepts and agree with the client on a fixed price. This model has no strings attached to it and is mainly for large businesses such as Financial Institutions who just need to be sure that every function has been covered and is secure!
- Enough Time: All pages and features will be tested.
- More Results: The more testing time, the more results.
- This model could get quite above the budget of the average startup and is therefore not suited for everyone.
Minimum Contract: 1 Week
Minimum Hours: 40 Hours
WebSec will agree on a limited amount of hours a month which makes this affordable for even the smallest companies while retaining the same quality and expectations as expected from a full pentest. In addition to pentesting services the client can switch each month between other services from WebSec.
- Affordable: Same rates but less working hours, therefore the price tag can be lower.
- Flexible: Client can switch between a pentest or other services each month.
- One year minimum contract period.
Minimum Contract: 1 Year
Minimum Hours: 16 Hours / a month
No Cure no Pay
WebSec will only charge the customer for discovered vulnerabilities, the costs depend on the severity and impact of the vulnerabilities discovered. Request a quote to learn more about the pricing tables for the No Cure no Pay business model.
- Client only pays for discovered vulnerabilities.
- WebSec only tests applications using this model for specific clients who meet certain conditions, contact us for more information.
Minimum Contract: 1 Week
Minimum Hours: 40 Hours
We will setup a line of communication with you and discuss your needs such as scope, rules of engagement, and discuss requirements prior to the test.
We then will begin planning, we will pick a start and end date together and determine the contact person for the test.
After planning, we will begin our security assessment on the agreed dates and times to see how well your current systems can withstand todays threats. We will always keep the contact person in the loop of what's happening.
After extensively pentesting your system we will begin writing our report. The report will consist of everything that has been done to your system, what vulnerbilities were found and detailed explenations on how to mitigate those findings.
We will then setup a meeting with you to show our findings and better explain in detail what the threats mean. We will also include what needs to be done to better prevent the threats.
WSDL Parser SQL Code Execution.CVE-2018-16803
Account Takeover Exploit.CVE-2020-6844
Information Disclosure ExploitCVE-2020-7959
SQL Injection and XSSCVE-2020-13433
CVE is reserved but yet to be published.CVE-2020-9002
CVE is reserved but yet to be published.CVE-2020-9000
CVE is reserved but yet to be published.CVE-2020-8999
Pentest is an abbreviation for 'penetration testing'. In a pen test, pen testers put themselves in the shoes of a hacker. They try in all kinds of ways and by all possible means to gain access to the tested IT environment. In this way, they expose the weaknesses of your website, application or even entire IT infrastructure. After a pentest, you will receive a report which contains solutions to remedy these vulnerabilities.
Pentests provide insights with which an organization can strengthen security. This can be useful in many cases. For example, a pen test can identify the weaknesses of a new server or website. In other cases, it can be valuable to map the overall security level of the organization.
Pentests generally make sense for organizations that rely heavily on the availability of their IT systems or have valuable data where integrity and confidentiality are paramount.
The duration of a pentest depends entirely on the intended goal, the chosen method and the available budget. Some pen tests are very specifically aimed at a particular website or application. Other pen tests have a broader focus, often even on the entire IT infrastructure. Depending on its size and complexity, a pen test can take weeks or even months.
A vulnerability scan checks IT systems for weaknesses through a fully automated procedure. As a result, a vulnerability scan is limited to known security errors. In many cases, a vulnerability scan does not have the intelligence to discover vulnerabilities that deviate from these known patterns.
A pentest goes much further. Pentesters search manually and automatically in the widest possible way for weaknesses in the IT environment, depending on available time, budget and scope of the assignment. They use creative attack techniques, methods and tooling such as a vulnerability scan.
1. Black box
With a black box pen test, the ethical hacker does not receive any information about the IT infrastructure in advance. In many cases, however, a scope is agreed to guarantee a complete investigation. The pen tester simulates the mindset of an opportunistic, uninformed hacker, as it were. Because the pentester has no preliminary information in addition to the scope, but is limited by time and budget, this test variant is usually the least thorough. Black box testing is useful when, for example, you are performing a test for the first time and want to get a general idea of the security level.
2. Gray Box
A gray box test is a cross between a black box and a white box test. The pentesters receive limited information about the IT infrastructure in advance, such as a customer / employee account.
Gray box tests are usually less thorough than white box tests, but they do have a realistic starting point. The pentesters thus have about as much prior knowledge as, for example, a rancorous customer / employee or a well-informed hacker. Gray box surveys, for example, are often used to assess how safe an environment is from a customer or employee perspective.
3. White Box / Crystal Box
Pentesters get full disclosure in advance with a white box pen test. This allows them to perform the pen test very thoroughly. The disadvantage of this method is that it takes a lot of time, because the entire scope is examined in detail. This method is often applied to a limited scope, for example an application that is very important (business-critical) for the customer.
A pentest organization with good intentions will always sign an NDA (Non Disclosure Agreement) in advance. That's a nondisclosure agreement. Data found is then in safe hands, often under penalty of a hefty fine.
An important distinguishing factor is the way in which we guide customers. Good consultation runs like a thread through the entire process. We clearly determine the scope, approach and objectives of the pen test in advance. In this way we maximize the effectiveness of the test.
Afterwards, we discuss and present all findings. We provide a clear management letter to the business and discuss the technical details with IT. Together with the customer, we look at the feasibility and desirability of any measures and can help prioritize them. Because ultimately, a pentest must of course result in a higher security level.
All of our pentesters are CEH and OSCP Certified, therefore you can rest assured that only the most skilled professionals will test your systems!