About us

Who are we

Joel Aviad Ossi's phoyo
Joel Aviad Ossi

Senior Pentester. Five years of work experience in information security.

Founder & Pentester

Polina Voronina's phoyo
Polina Voronina

Graduated from the Berlin School of Economics and Law (HWR) in 'International Economics'.

Consultant

Ameer Ashhab's phoyo
Ameer Ashhab

UI & Frontend Designer focused on designing powerful digital applications.

Designer

Services

si-fi like data drive Security Project
  • tick sign Manual Pentests
  • tick sign Extended reports
  • tick sign Presentation results
  • tick sign Website Seal
  • tick sign PCI, NEN, ISO and BIO compliant
Request Quote
data drive stack Pentest Subscription
Starting prices: € 1600 / month
  • tick sign Manual Pentests
  • tick sign Extended reports
  • tick sign Presentation results
  • tick sign Website Seal
  • tick sign PCI, NEN, ISO and BIO compliant
Request Quote
question mark Other Services
  • tick sign Red Teaming
  • tick sign Social engineering
  • tick sign Security Awareness Training
  • tick sign DigiD security assessment
  • tick sign PCI security assessment
Request Quote

Model

One-time Pentest
WebSec will agree on a fixed price with the client for a full pentest. When choosing this model WebSec will deliver more results, detailed proof-of-concepts and agree with the client on a fixed price. This model has no strings attached to it and is mainly for large businesses such as Financial Institutions who just need to be sure that every function has been covered and is secure!

Advantages:
- Enough Time: All pages and features will be tested.
- More Results: The more testing time, the more results.

Disadvantages:
- This model could get quite above the budget of the average startup and is therefore not suited for everyone.

Minimum Contract: 1 Week
Minimum Hours: 40 Hours

One-time Pentest

Periodic Pentests
WebSec will agree on a limited amount of hours a month which makes this affordable for even the smallest companies while retaining the same quality and expectations as expected from a full pentest. In addition to pentesting services the client can switch each month between other services from WebSec.

Advantages:
- Affordable: Same rates but less working hours, therefore the price tag can be lower.
- Flexible: Client can switch between a pentest or other services each month.

Disadvantages:
- One year minimum contract period.

Minimum Contract: 1 Year
Minimum Hours: 16 Hours / a month

One-time Pentest

No Cure No Pay
WebSec will only charge the customer for discovered vulnerabilities, the costs depend on the severity and impact of the vulnerabilities discovered. Request a quote to learn more about the pricing tables for the No Cure no Pay business model.

Advantages:
- Client only pays for discovered vulnerabilities.

Disadvantages:
- WebSec only tests applications using this model for specific clients who meet certain conditions, contact us for more information.

Minimum Contract: 1 Week
Minimum Hours: 40 Hours

One-time Pentest

Steps

Intake

We will establish a line of communication with you to discuss your pre-test needs such as the test scope, requirements, disclaimer and contract.

WebSec document checkmarks
Plans

We then start planning, during planning we choose a start and end date together and you determine the contact person for the pentest.

WebSec calender
Pentests

After planning, we will start our security assessment on the agreed date and times to see how well your current systems can withstand today's cyber threats. We always keep the contact informed of updates and notify them immediately if very serious findings are found.

WebSec Laptop malware
Documentation

After an extensive pentest of your system or website, we start writing our report. We write two reports, a technical report and an executive report. The report contains everything that has been done with your system, which vulnerabilities There are found and detailed explanations of how those findings can be resolved and an executive summary.

WebSec document
Delivery

We will then make an appointment with you to show our findings and to explain step by step what the findings mean. We do this by not talking too technical, so that everyone can follow it. we will explain clearly how the findings can be resolved.

WebSec delivery

CVE Numbers

Defense

10/01/2019

SOAP WSDL Parser SQL Code Execution.

CVE-2018-16803

Serpico

12/18/2019

Privilege escalation.

CVE-2019-19857

TopManage OLK

20/01/2020

Account Takeover Exploit.

CVE-2020-6844

LabVantage 8.3

17/02/2020

Information Disclosure Exploit.

CVE-2020-7959

AdminPanel

22/05/2020

SQL Injection and XSS

CVE-2020-13433

0-day [1]

xx/xx/2020

CVE has not been published yet.

CVE-2020-9002

0-day [2]

xx/xx/2020

CVE has not been published yet.

CVE-2020-9000

0-day [3]

xx/xx/2020

CVE has not been published yet.

CVE-2020-8999

Frequently Asked Questions

What is a pentest?

Pentest is an abbreviation for 'penetration testing'. In a pentest, pentesters put themselves in the shoes of a hacker. They try in all kinds of ways and with all possible means to gain access to the tested IT environment. That way. they expose the weak spots of your website, application or even the entire IT infrastructure. After a pentest you can use targeted measures to remedy these vulnerabilities as well as possible.

When is a pentest useful?

Pentests provide insights with which an organization can strengthen security. This can be useful in all kinds of cases. For example, a pentest can identify the weaknesses of a server or website. In other cases it can also be valuable to map the overall security level of the organization.

How long does a pentest take?

The duration of a pentest depends entirely on the intended purpose, the chosen method and the available budget. Some pentests are very specifically aimed at a particular website or application. Other pentests are more broadly aimed, often even on the entire IT infrastructure. Depending on its size and complexity, a pentest can take weeks or even months.

What's the difference between a pentest and a vulnerability scan?

A vulnerability scan checks IT systems for weaknesses through an automated process. As a result, a vulnerability scan is limited to known security errors. In many cases, a vulnerability scan does not have the intelligence to discover vulnerabilities that deviate from these known patterns.

A pentest goes much further: Pentesters search manually and automatically in the widest possible way for weaknesses in the IT environment, depending on available time, budget and scope of the assignment, using creative attack techniques, methods and tooling such as a vulnerability scan.

Which different test methods can be used in a pentest?

Roughly speaking, three test methods can be distinguished. There is no 'best' method, each variant has its own specific advantages and disadvantages. The choice therefore depends entirely on the circumstances.

1. Black box
In a black box pentest, the ethical hacker does not receive any information about the IT infrastructure in advance, but in many cases a scope is agreed to guarantee a complete investigation. The pentester simulates, as it were, the mindset of an opportunistic, uninformed hacker.Because the pentester has no prior information in addition to the scope, but is limited by time and budget, this test variant is usually the least thorough. useful when, for example, you are performing a test for the first time and want to get a general idea of ​​the security level.

2. Gray Box
A gray-box test is a cross between a black box and a white box test n hereby limited information about the IT infrastructure in advance, such as a customer / employee account.

Gray box tests are usually less thorough than white box tests, but they have a realistic starting point. The pentesters thus have about as much prior knowledge as, for example, a rancorous customer / employee or a well-informed hacker. Gray box surveys, for example, are often used to assess how safe an environment is from a customer or employee perspective.

3. White Box (also known as: Crystal box)
Pentesters get full disclosure with a white box pentest in advance. This allows them to perform the pentest very thoroughly. The disadvantage of this method is that it takes a lot of time, because the entire scope is examined in detail. This method is often applied to a limited scope, for example an application that is very important (business-critical) for the customer.

My organization has confidential data. Is it in good hands with a pentester?

A security company with good intentions will always sign an NDA (Non Disclosure Agreement) in advance. That is a non-disclosure agreement. Any data found is then in safe hands, often under penalty of a hefty fine.

How does a WebSec pentest differ from the competition?

An important distinguishing factor is the way in which we guide customers. Good consultation runs like a red thread throughout the entire process. We clearly determine the scope, approach and objectives of the pentest in advance. This is how we maximize effectiveness. of the test.

Afterwards ovwe record and present all findings. We provide a clear report direction for management, and discuss a technical report with the IT department and/or programmers.

Contact

WebSec B.V. Map