Penetration Testing

We sadly see it all too often: penetration tests that are little more than a vulnerability scan along with a customized report generated from those findings. You know you’ve had a bad pentest if:

This is a printer. (image of printing press)
This is an insecure, poorly built, rarely updated, network connected, easily hackable COMPUTER that we can use to steal your data. It can also print, collate and staple. (image of multi-function printer)

Alasdair Has Broken through IT Security More Ways Than We Can Count

Sadly, it’s getting harder and harder to find quality pentests, in part because nowadays anyone who knows how to turn on a computer thinks they can be a pentester! At Alasdair, we have been doing penetration testing since 2000, well before many of these Johnny-come-lately’s even heard of security. Our reports are customized to your business, not one sort-of-like-it, and certainly not some collection of out-of-the box findings. We spend the time to understand the context of the testing, what it means to your business, and the specific risks your organization faces. This allows us to see what assets matter to your business, and how an attacker might be most likely to go after them. Armed with that, we can spend time doing testing that’s actually relevant. Moreover, we can then put that in a report that discusses not only the technical findings, but appropriate business context as well.

Let us talk to you about how our testing differs, and how we can build a custom testing solution around your needs. We will show you what real pentesting is all about, and how you can finally rid yourself of irrelevant and minimally useful pentest reports once and for all.

Talk to Alasdair: Keep your data safe & sound.

Application Penetration Testing

Sure, vulnerability scanners can do some very basic application penetration testing. Really good application scanners (and their corresponding exorbitant price tags) can do a better job. But we have found nothing comes even close to having a human do a deep-dive on an application to uncover flaws.

Our engineers use several both commercial and custom tools and scripts to uncover application-level flaws, along with the one piece of wetware no application scanner (currently) has: a human brain. Guided by many years of testing experience as well as a development background, we will find flaws that scanners simply can’t, and approach an application as a real attacker would: looking for critical assets, exploring common weak points and chaining combinations of attacks together to provide a proper simulation of what your application probably faces every day: intelligent threats.

Alasdair has a storied history of breaking applications before someone else does. Let us discuss options with you and we think you’ll see that a proper application pentest is not only a great way to improve security, but may help highlight weaknesses you hadn’t even considered.

Sidebar: Hacking the Un-hackable

Recently we had a customer come to us who has had application pentests done for years. With a background in security themselves, they had patched the few minor flaws other firms had found over those years, but no one had really gained substantial access. They considered the application essentially un-hackable!

Our engineering team did a thorough review and not only found two reflected cross-site scripting flaws that other tools and teams had missed, but also a remote Linux shell exploit complete with data exfiltration. Rather than being upset, our customer was thrilled we had identified the weaknesses and had them patched within an hour of explaining what we’d found!