Hedgehog Security

What is CREST accredited penetration testing?

By |2022-07-26T10:45:57+01:00July 24th, 2022||

CREST accredited penetration testing (also referred to as pentesting, pen testing and the often confusing PEN testing. (No, we do not know why people capitalise the shortening of Penetration either)) is a type of ethical or white hat hacking engagement designed to identify and address security vulnerabilities in your people, processes and technology. Most often

Comments Off on What is CREST accredited penetration testing?

Does your Pentest satisfy ‘x’ Compliance Requirements?

By |2022-07-24T10:00:00+01:00July 24th, 2022||

A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance standards including PCI, HIPAA, SOC2, and others.  That said, each compliance standard is different. For example CREST Approve pen testing requires specific tester qualifications. These requirements should be

Comments Off on Does your Pentest satisfy ‘x’ Compliance Requirements?

How much of your Penetration Testing is Automated vs. Manual?

By |2022-07-24T10:01:10+01:00July 24th, 2022||

A question not enough people ask is how much of the testing is automated vs. manual. While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies project-to-project, but around 80% of the pentest is hands-on for large infrastructure pentests. For

Comments Off on How much of your Penetration Testing is Automated vs. Manual?

How soon can you start on my project?

By |2022-07-24T09:53:49+01:00July 24th, 2022||

We understand that clients often have hard deadlines that they’re trying to meet. Whether you’re trying to meet client requirements which rely on pentest results or have an annual requirement, we do best to accommodate your timelines. Unfortunately, manual penetration testing takes some planning & preparation for our assessment team and our schedule can be

Comments Off on How soon can you start on my project?

Should we fix all of the vulnerabilities that are reported?

By |2022-07-24T09:52:49+01:00July 24th, 2022|, |

You should evaluate all of the vulnerabilities using a risk-based model first. Each vulnerability should be evaluated for business impact and probability of being exploited to ultimately assign a risk rating. Companies should have risk criteria defined in order to determine thresholds for remediation. Vulnerabilities above the threshold should be remediated or appropriately compensated for in order to bring them

Comments Off on Should we fix all of the vulnerabilities that are reported?

We have our website hosted with a third party. Should we test it?

By |2022-07-24T09:51:36+01:00July 24th, 2022||

Maybe – Is anyone testing the third party already? The first thing to do is to find out if the third party service provider is already having a reputable network penetration test provider review the website. If so, due diligence is needed to validate the scope is appropriate, review the methodology, and understand if any key findings were observed.

Comments Off on We have our website hosted with a third party. Should we test it?

How do we prepare for a penetration test?

By |2022-07-24T10:02:17+01:00July 24th, 2022||

In general, there is no need for anything special to prepare for a penetration test with respect to how security controls are managed on a day-to-day basis. Remember that a penetration test is a point in time review of the environment. The test is going to assess the security posture at that particular point in time. If patches

Comments Off on How do we prepare for a penetration test?

How do we validate vulnerabilities have been remediated?

By |2022-07-24T09:48:08+01:00July 24th, 2022|, |

Validating that vulnerabilities have been remediated can be performed using a variety of methods, either in-house or through external independent verification testing. Some organizations prefer to track remediation in-house and possess the resources to independently validate successful remediation, however most seek independent validation and should have a remediation verification test performed. This is why it is critical

Comments Off on How do we validate vulnerabilities have been remediated?

What penetration test documentation or reporting should I expect to receive when the test is complete?

By |2022-07-24T09:46:17+01:00July 24th, 2022||

Once the penetration test is complete, you should receive pen test documentation in a report or deliverable detailing all of the findings, recommendations, and supporting evidence. The deliverable should clearly document the scope and boundaries of the engagement as well as the dates the pen testing was performed. Additionally, all detailed findings should be included in

Comments Off on What penetration test documentation or reporting should I expect to receive when the test is complete?

What qualifications should the penetration testing team possess?

By |2022-07-24T10:11:31+01:00July 24th, 2022||

When a penetration testing provider is hired, the hiring company should expect that every penetration test team includes a dedicated project manager, a skilled and experienced test team, resource coordinator(s), and a point of escalation. The test team should include individuals with in-depth experience across multiple technologies including client platforms, server infrastructures, web application development,

Comments Off on What qualifications should the penetration testing team possess?

What are the different options for pen testing?

By |2022-07-24T10:10:31+01:00July 24th, 2022||

The most common areas selected for pentesting scope typically include external networks, internal networks, web applications, wireless networks, and employee security awareness (through social engineering). These are typically all performed as part of a single engagement, but differ in their testing approach. Web Application Pentest: Based on the sensitivity or value of a web application, an in-depth review

Comments Off on What are the different options for pen testing?

How is the scope of a penetration test defined?

By |2022-07-24T09:41:42+01:00July 24th, 2022||

Collaboratively, the scope of a penetration test should always be customized to suit the unique nature of the business and understanding of their risk profile. A variety of considerations, both internal and external to an organization, impact and guide the scope of a penetration test: The nature of the business and types of products/services offered Compliance requirements and deadlines Geographic considerations Organizational

Comments Off on How is the scope of a penetration test defined?
Go to Top