Pentesting & Code Audits

Pentesting

As part of a penetration test (pentest), your IT infrastructure (applications, networks, clients & servers) is checked for typical misconfigurations and vulnerabilities. A holistic approach is taken, meaning the application and potential vulnerabilities or findings are evaluated and assessed in the context of your organization. Each finding is given a risk classification based on various types of threat actors.

Depending on the test environment, common standards are used as the basis for the testing methodology, such as:

• OWASP Web Security Testing Guide (WSTG) for web applications
• OWASP Mobile Security Testing Guide (MSTG) for mobile applications
• MITRE ATT&CK for Enterprise for Active Directory and network infrastructure

Testing Areas

Web and API Security

• Security analysis of web applications and REST/SOAP APIs
• Identification of OWASP Top 10 vulnerabilities
• Authorization and authentication vulnerabilities
• Identification of SQL injection vulnerabilities
• Verification of server security settings
• Identification of Cross-Site Scripting (XSS) vulnerabilities

Mobile Security (Android)

• Analysis of Android apps for security vulnerabilities
• Verification of data storage and transmission
• Reverse engineering and analysis of protection mechanisms
• Verification of app sandbox and permissions
• Security of backend communication

Active Directory & Network Infrastructure

• Vulnerability analysis of Active Directory configurations
• Checking for privilege escalation paths
• Verification of Group Policy Objects (GPOs)
• Analysis of trust relationships between domains
• Verification of domain controller security settings

Methodology

The pentest is conducted as follows:

1. Initial Consultation

   • Definition of test scope and target systems
   • Determination of testing methodology and depth
   • Clarification of legal framework conditions

2. Planning

   • Preparation of proposal
   • Coordination of testing timeframes
   • Clarification of escalation paths

3. Execution

   • Technical security analysis
   • Documentation of all relevant findings
   • Impact assessment

4. Evaluation

   • Risk assessment of all findings
   • Creation of final report
   • Presentation of results

5. Follow-up

   • Support with remediation
   • Verification of implemented measures
   • Optional: Security training

After completing the pentest and implementing the recommended improvements, I will assist you in verifying the changes to ensure that all identified vulnerabilities have been properly addressed. Free retesting of critical findings is always included in the penetration test.

Code Audits

I offer code audits for software in various programming languages. With my expertise in pentesting, I can specifically investigate and uncover common vulnerabilities and attack paths. I offer, among other things:

• Web Applications: Code review based on common frameworks (Springboot, Laravel, Django) or custom developments
• Mobile Apps: Security analysis of Android and iOS applications
• Backend Systems: Review of business logic and interfaces
• Configuration Review: Analysis of security-critical configurations

Please don't hesitate to contact me!