Penetration testing

Assessment, testing and certification

Our penetration testing service (pentesting for short), NTXATTACK, is an ethical hacking service for assessing and testing the current level of security of either information systems or IT infrastructures.

Security testing engagements are usually combined with an overall architecture walkthrough, a security architecture review and, if necessary, a hosting platform (on-premise or cloud) configuration review from security hardening and software assurance point-of-views.

Application security testing

NTXATTACK is a software security assessment and penetration testing service. Typical assessment targets include software centric systems such as:

web applications and web sites
intranet and extranet sites and other sites with login and access controls
online stores, subscription based services or other professional services, often with payment integrations
backend systems serving e.g. IoT devices or mobile applications
API endpoints and such programming and integration interfaces
distributed systems, often characterized by a decentralized deployment model, replicated data storages, clustered access points and strict system availability and data integrity and consistency requirements.

NTXATTACK -approach and deliverables support both development teams and organizations acquiring external development services.

IT infrastructure security testing

NTXATTACK is an IT infrastructure security assessment and penetration testing service. Along the lines of a red team hacker penetration engagement, we work together with the customer’s technical team to walkthrough the target IT infrastructure and its current technical security controls to understand and document the starting point, define the scope and agree on the allowed measures of penetration attempted.

The IT infrastructure penetration testing is suitable for verifying the security of and identifying security vulnerabilities of e.g. an on-premise or cloud hosted IT environments, WiFi networks, server environments, remote working or teleworking setups.

Infrastructure penetration testing can be combined with server configuration reviews (security hardening, reliability, auditability).

CyberSafe certification

Netox CyberSafe is a hands-on cyber security certification for businesses, organizations and individual information systems. It is based on well-known and standardized reference frameworks and criteria such as ISO 27001, NIST, KATAKRI, VAHTI guidelines, OWASP ASVS/Top-10 and numerous other best practices. We wanted to bring an alternative to companies of all sizes who may not want, need or be able to get formal heavy duty certification.

CyberSafe covers the most important areas of administrative and technical information security with an emphasis on practical cyber security, often eliminating unnecessary bureaucracy for SMEs and reducing the requirements for documentation and management models, still not forgetting the importance of administrative security policies and proper information security governance.

CyberSafe certification is granted to NTXATTACK Application and NTXATTACK Infrastructure assessment targets that have no non-mitigated and exploitable critical or high vulnerabilities.

Why?

The primary goal of a security assessment is to verify whether the deployed (or planned, if security is considered before implementation, like it should be) security mechanisms provide adequate measures to guarantee cyber resilience and uninterrupted operations towards accidental and intentional disturbance.

The target system must support the required information security requirements and prevent any significant misconduct of its authorized and unauthorized users and clients, e.g. attempts towards data theft or corruption, bringing the system down or breaching backend corporate systems and networks.

Besides internal business interests of securing systems, customers and other third parties may present requirements for independent security audit or security assessment to be conducted against a software product, online service or, for example, to evaluate an organization’s cyber security capabilities as part of a due diligence process.