** Services > Network Audit and Penetration Testing > Our Approach
to Penetration Testing

Our consultants have carried out dozens of assignments, for
large and small organizations across all sectors, and we know
what customers expect from a penetration test.

* Tailored

There is no such thing as a standard penetration test: all clients
have their own needs, reflecting threats and vulnerabilities as
well as budget constraints.  We make sure that our services meet
real needs by treating each audit as a project in its own right.

This includes providing a full proposal for all work (however
small), holding clarification and set-up meetings as appropriate,
and continuing the liaison throughout the active testing work.

* Supported

Individual audits need to be backed by detailed technical
knowledge.  Each project that we carry out includes at least
one member with several years' penetration testing experience,
gained on a number of assignments covering a range of target
types. Beyond the immediate participants, the company offers full
technical back-up.

* Transparent

Results and recommendations are only of real value if they
are based on a clearly specified approach, with the results and
reasoning available for inspection.  Our methodology and reporting
style carefully separates issues, evidence and conclusions.

* Authoritative

For our clients to have confidence in the findings, false positives
and other noise must be removed from the presented results: in
fact, most of our effort is expended after any scanning tools
have been run.

Careful analysis confirms any notified vulnerabilities and also
teases out any false negatives - these are cases where automated
tools have not found any issues but wider knowledge of the target
system raises suspicions that need to be followed up.

It is also important to emphasise real issues that could be
exploited in the target's environment, rather than theoretical
vulnerabilities where the risk is minimal.

* Constructive

Our reports give specific and relevant advice, presented clearly
and concisely.  Although many security vulnerabilities appear time
and time again, we review each issue afresh each time it occurs,
using our own knowledge plus research findings to present it
in context.

* Extensive

Testing is often provided as part of a wider security initiative,
and our clients expect more than a narrow focus on finding
specific holes.  We offer a wider perspective by making use
of our practical experience in other network security fields,
including intrusion protection, firewall configuration, and UNIX
and Windows system management.

In some cases, we also uncover and report issues that fall outside
the strict network security brief but which are nevertheless of
real interest to client staff.

* About Us

IDsec is an independent company specialising in network security,
and has provided penetration tests and intrusion detection
systems since 1997. We can assess the security of your enterprise
and advise on long-term protection: as we have for a range of
blue-chip clients in the banking, telecoms, manufacturing and
utility sectors.

IDsec Limited 31-33 College Road, Harrow, Middlesex HA1 1EJ,
United Kingdom

T: +44 20 8861 2001 F: +44 20 8861 3433 W: www.idsec.co.uk

All prices exclude VAT and are subject to confirmation.

Copyright (C) 2011 IDsec Limited

services/testing/approach.txt 20110914     (5.11)