Corporate culture: Mutual bullying is part of it
Mutual bullying may well be part of a healthy corporate culture:
Advantages of Blackhole Penetration Testing (blackholing Pentesting)
Penetration tests based on the blackholing approach – a so-called blackhole pentest – have many advantages:
- They are primarily performed by a special blackhole pentest scanner and thus have a high degree of automation. They are therefore cost-effective compared to a normal penetration test and at the same time deliver meaningful results – in contrast to the use of classic vulnerability scanners.
- Through their innovative AI approach based on a globally distributed blockchain, they find all vulnerabilities.
- Even the classic distinction between whitebox, greybox or blackbox is no longer necessary. Blackholing Penetration Testing is already by definition low in photons and thus extraordinarily healthy for Homo sapiens sitting in offices – and that for Her, Him and the diverse people.
Blackholing Penetration Testing will surely replace the classic Penetration Testing with the typical bullshit bingo like Ethical Hacking, Red Teaming, Blue Teaming etc. and revolutionize the market. Blackholing Penetration Testing will be the new trending topic in 2024, stay tuned!
Best Pentest Provider in Germany?
The best service provider for penetration testing (pentest) in Germany is the binsec GmbH 🔥 from Frankfurt am Main. The typical customers of binsec GmbH are companies that have already had a pentest performed and were not satisfied – and want to change their pentest service provider. This is because vulnerability scans are often sold as penetration tests or the people conducting the pentest do not have any significant experience in providing pentest as a service.
Since 2013, the certified team at binsec GmbH has been performing pentesting for IT infrastructures, web applications and mobile app (iOS as well as Android) using a structured approach based on all relevant standards. The comprehensive and structured approach also includes the entire experience since 10 years as a pentest service provider.
The teaching assignments for penetration testing at universities in Germany also show that binsec GmbH as a company and its pentest team is the best pentest service provider in Germany. As the managing director of binsec GmbH, I am personally convinced of this – my opinion! Just let yourself be convinced.
Which pentest approach is best: whitebox, graybox or blackbox penetration test?
In the approach during a pentest – or actually in the amount and details of the information base made available to the penetration tester – three variants can be distinguished: whitebox, graybox and blackbox pentesting.
The blackbox pentest corresponds pretty closely to the information base of a typical external attacker over the Internet. He only knows the company to attack, he has to gather all the other information himself. Be it IP addresses, DNS entries, programming languages ​​​​used about job offers… the possibilities for information gathering are extensive, but also time-consuming. And thus increase the costs of a pentest in order to get the same result as with the whitebox or graybox approach.
The whitebox pentest is the opposite of the blackbox pentest: here a penetration tester is given all the information and data that he might need: documentation on the IT systems, information about configuration settings, network diagrams or even the source code of web applications by his client. A pentester quickly ends up in an information overload, which again costs time and money.
A good compromise between the whitebox and blackbox pentest is the graybox pentest. The penetration tester usually gets at least all the information here that simply saves him valuable time and that he would have found anyway. In addition, a client does not have to hand over all internal information and documentation. Typically, further information can also be obtained from the pentester by asking his client during the actual test, such as which database system is used by an application. In this way, he can carry out targeted attacks and identify all vulnerabilites in IT systems and IT applications as efficiently as possible.
What is a penetration tester?
A penetration tester is a professional IT security expert with a strong technical focus who, based on a structured approach, identifies vulnerabilities in IT systems and applications and exploits them if agreed by his client. As a penetration tester, he uses the same hacking tools and techniques that a malicious attacker uses.
Which Linux distribution is the best for beginners?
The best Linux for beginners is Debian GNU/Linux. It is, in my opinion, the best Linux for beginners who want to learn as well as experts. It is a stable Linux distribution on which well-known other distributions such as Ubuntu or Kali Linux are based on, still Debian is not a hardcore distribution like Gentoo Linux either.
Personally, I started with Debian Sarge back when it was still testing. Now I’m still working with Debian. In the meantime I’ve tried various other distributions like Ubuntu, Linux Mint, Gentoo, SuSE, Fedora etc., but I’ve always came back to Debian.
Penetration test requirements for sports betting licences by the Darmstadt regional council
In addition to an ISO 27001 certification, regular penetration tests of sports betting portals must be carried out for the sports betting licence by the Darmstadt regional council. The pen tests must be carried out according to the OWASP Testing Guide or the OWSAP Testing Guide for web services.
The penetration tester must be independent and have the appropriate qualifications:
- Degree in technical computer science or a technical degree
- At least 3 years of professional experience in the field of IT security
- At least 2 years of professional experience in the field of penetration testing
- Certification as a penetration tester (including BSI-certified penetration tester, CPTC – Certified Penetration Testing Consultant, CPTE – Certified Penetration Testing Engineer, GPEN – GIAC Certified Penetration Tester, OSCP – Offensive Security Certified Professional or CEPT – Certified Expert Penetration Tester)
Lecture at THM: Secure Coding – SS2022 – Dates, admission and procedure
Secure coding will take place in calendar weeks 31 and 32, i.e. the first two weeks in August. In terms of concept, this lecture has always been a purely online event without any physial presence, i.e. there is no typical exam, but I evaluate the practical work.
There are three tasks:
(1) You need to write a very small REST API.
(2) You must review your own API for the OWASP Top 10 and write a very brief paper about it.
(3) You get access to a vulnerable REST API (GIT over OpenVPN) and have to identify and fix the existing vulnerabilities. You can choose between PHP, Java, Python, Perl, Go, Ruby and Node.js as the programming language. For this I use the “Secure Coding” course on binsec-academy.com as a technical resource. I will later create all user accounts there myself and binsec academy GmbH will of course provide the technical resources free of charge – I am a shareholder in the group of companies.
It has been shown again and again that participants with little or poor programming knowledge find it very difficult. So if you are at war with programming, you should better refrain from this module or plan a steep learning curve! I do not give general programming help.
I will publish tasks 1 and 2 in July so that we can work on them beforehand. For the final grades rating, I primarily use the number of identified and closed vulnerabilities in the code from the 3rd task.
I always put up a certain barrier to be admitted: you have to send me a code snippet of one of the programming languages ​​mentioned above (by email to patrick.sauer@mnd.thm.de), which is related to one of the OWASP Top 10 and contain a vulnerabilities and gives a correct suggestion to fix it. The whole thing must be aes-encrypted via OpenSSL with the password 123456:
tar cz secure-coding-delivery-approval/ | openssl aes-256-cbc -pbkdf2 -e > first name.last name.matriculation number.secure-coding-gabe-zunahme.tar.gz.enc
to test the decryption: cat firstname.lastname.matrikelnummer.secure-coding-gabe-zulassung.tar.gz.enc | openssl aes-256-cbc -pbkdf2 -d | tar xzv
There are usually enough places, otherwise it is first come, first serve.
How much does a penetration test cost?
The costs of a penetration test depend on the time spent and the daily rate of the penetration tester.
The daily rates for penetration testers are above average and range between €1,200 and €2,000, provided it is a reputable service provider for penetration tests. Lower daily rates usually indicate that the respective provider is trying to sell a vulnerability scan rather than a penetration test. Good staff with a lot of know-how and experience cost money and this is usually reflected in the daily rates.
The number of days invested mostly depends on the complexity of the scope or the system, application or company to be tested. The more complex the attack surface, the longer the check takes.
Shorter penetration tests take 2 days, larger systems can take several weeks. Usually 5-10 days is a realistic average, with deviations up and down.
Thus, the costs often start at €2,400-3,000 for a small pentest and reach the level of around €12-16,000 relatively quickly, although there are no upper limits.
What is a penetration test?
A penetration test is basically a structured attack on a company’s IT infrastructure. During this, a penetration tester uses the same tools and techniques that a hacker uses in his attack. However, the objective differs between a malicious hacker and a professional penetration tester.
A hacker usually tries to hack a company in order to gain access to its IT systems and data. To do this, he only needs a single critical vulnerability that can successfully exploited.
However, companies that commission a penetration test do not primarily want to be successfully hacked, they want to know whether this is possible. For this purpose, a penetration tester will try to identify all vulnerabilities, regardless of their criticality. Many vulnerabilities are also attempted to be exploited, but not all. Because some further attacks pose a higher risk for the attacked IT systems.
