We provide superior information security services by delivering unbeatable high quality work at the best rates. With WebSec you can be sure that your confidentiality, availability and integrity is secure!
Read More
Senior Pentester. Five years of work experience in information security.
Graduated from the Berlin School of Economics and Law (HWR) in 'International Economics'.
One-time Pentest
WebSec will agree on a fixed price with the client for a full pentest. When choosing this model WebSec will deliver more results, detailed proof-of-concepts and agree with the client on a fixed price. This model has no strings attached to it and is mainly for large businesses such as Financial Institutions who just need to be sure that every function has been covered and is secure!
Advantages:
- Enough Time: All pages and features will be tested.
- More Results: The more testing time, the more results.
Disadvantages:
- This model could get quite above the budget of the average startup and is therefore not suited for everyone.
Minimum Contract: 1 Week
Minimum Hours: 40 Hours
Periodic Pentests
WebSec will agree on a limited amount of hours a month which makes this affordable for even the smallest companies while retaining the same quality and expectations as expected from a full pentest. In addition to pentesting services the client can switch each month between other services from WebSec.
Advantages:
- Affordable: Same rates but less working hours, therefore the price tag can be lower.
- Flexible: Client can switch between a pentest or other services each month.
Disadvantages:
- One year minimum contract period.
Minimum Contract: 1 Year
Minimum Hours: 16 Hours / a month
No Cure No Pay
WebSec will only charge the customer for discovered vulnerabilities, the costs depend on the severity and impact of the vulnerabilities discovered. Request a quote to learn more about the pricing tables for the No Cure no Pay business model.
Advantages:
- Client only pays for discovered vulnerabilities.
Disadvantages:
- WebSec only tests applications using this model for specific clients who meet certain conditions, contact us for more information.
Minimum Contract: 1 Week
Minimum Hours: 40 Hours
Pentest is an abbreviation for 'penetration testing'. In a pentest, pentesters put themselves in the shoes of a hacker. They try in all kinds of ways and with all possible means to gain access to the tested IT environment. That way. they expose the weak spots of your website, application or even the entire IT infrastructure. After a pentest you can use targeted measures to remedy these vulnerabilities as well as possible.
Pentests provide insights with which an organization can strengthen security. This can be useful in all kinds of cases. For example, a pentest can identify the weaknesses of a server or website. In other cases it can also be valuable to map the overall security level of the organization.
The duration of a pentest depends entirely on the intended purpose, the chosen method and the available budget. Some pentests are very specifically aimed at a particular website or application. Other pentests are more broadly aimed, often even on the entire IT infrastructure. Depending on its size and complexity, a pentest can take weeks or even months.
A vulnerability scan checks IT systems for weaknesses through an automated process. As a result, a vulnerability scan is limited to known security errors. In many cases, a vulnerability scan does not have the intelligence to discover vulnerabilities that deviate from these known patterns.
A pentest goes much further: Pentesters search manually and automatically in the widest possible way for weaknesses in the IT environment, depending on available time, budget and scope of the assignment, using creative attack techniques, methods and tooling such as a vulnerability scan.
Roughly speaking, three test methods can be distinguished. There is no 'best' method, each variant has its own specific advantages and disadvantages. The choice therefore depends entirely on the circumstances.
1. Black box
In a black box pentest, the ethical hacker does not receive any information about the IT infrastructure in advance, but in many cases a scope is agreed to guarantee a complete investigation. The pentester simulates, as it were, the mindset of an opportunistic, uninformed hacker.Because the pentester has no prior information in addition to the scope, but is limited by time and budget, this test variant is usually the least thorough. useful when, for example, you are performing a test for the first time and want to get a general idea of the security level.
2. Gray Box
A gray-box test is a cross between a black box and a white box test n hereby limited information about the IT infrastructure in advance, such as a customer / employee account.
Gray box tests are usually less thorough than white box tests, but they have a realistic starting point. The pentesters thus have about as much prior knowledge as, for example, a rancorous customer / employee or a well-informed hacker. Gray box surveys, for example, are often used to assess how safe an environment is from a customer or employee perspective.
3. White Box (also known as: Crystal box)
Pentesters get full disclosure with a white box pentest in advance. This allows them to perform the pentest very thoroughly. The disadvantage of this method is that it takes a lot of time, because the entire scope is examined in detail. This method is often applied to a limited scope, for example an application that is very important (business-critical) for the customer.
A security company with good intentions will always sign an NDA (Non Disclosure Agreement) in advance. That is a non-disclosure agreement. Any data found is then in safe hands, often under penalty of a hefty fine.
An important distinguishing factor is the way in which we guide customers. Good consultation runs like a red thread throughout the entire process. We clearly determine the scope, approach and objectives of the pentest in advance. This is how we maximize effectiveness. of the test.
Afterwards ovwe record and present all findings. We provide a clear report direction for management, and discuss a technical report with the IT department and/or programmers.