Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Our pentesting approach

The efficiency of penetration tests conducted by competent pentesters essentially depends on two parameters:

1. Time

  • The more time pentesters have, the more vulnerabilities they can find.
  • As the duration increases, the number of vulnerabilities found per unit of time decreases.
  • Rule of thumb: If a pentester does not manage to compromise an application within a certain timeframe, attackers will not succeed in targeted attacks under similar circumstances either.

2. Knowledge

  • The more background knowledge pentesters have, the more efficient they are.
  • Knowledge includes, for example, technical documentation, source code, and user credentials (often administrative ones as well).
  • Giving pentesters an information advantage creates a time advantage over real attackers.

For this reason, we try to define a reasonable timeframe for the scope (neither too short nor too long) and aim to acquire a sufficient amount of knowledge through communication with our clients. This particularly includes user credentials, documentation, and the impact on business processes.

To deliver the best possible performance at the lowest possible cost, we recommend and strive for penetration tests that fall between grey-box and white-box.

In some cases, we deviate from this approach. For instance, pure cloud tests (such as Entra ID, Azure Apps, etc.) are often more efficient as white-box tests, whereas a black-box test might be preferable when testing external perimeters with a large number of target systems and heterogeneous user access.

Source code analyses are also white-box tests but usually have the disadvantage of lower efficiency. We primarily recommend source code analyses for small but business-critical or high-risk pieces of code, such as (payout/payment) logic, approval processes, interfaces to physical devices, and similar components. In the web environment, we support common programming languages, including Java, C#/.NET, PHP, Python, JavaScript/TypeScript, as well as modern frameworks like ASP.NET, Django, Node.js, or Vue.js. Additionally, we are proficient in C and C++.

The rise of AI made source code analysis not only feasible, but increases our efficiency significantly. We recommend providing the source code of applications for automated analysis with our source code analysis framework. We can use self-hosted models on our own infrastructure (ususally smaller), or cloud-hosted models hosted in the EU or in the US. We use cloud-hosted models for closed-source applications only with explicit permission from our customers.