• How can SecurityImpact offer such a low price?

Simply, SecurityImpact consultant needs less time to complete a successful penetration testing project.

As you know, the most time consuming activity of penetration testing is to manually verify and explore the vulnerabilities. For example, business logic vulnerabilities, the pen-tester must figure out the logic and find a way to break the logic. With extensive experiences on hundreds of penetration testing project, SecurityImpact’s consultant does not need to spend hours on research and manipulation, instead can launch the successful test in minutes.

  • How does SecurityImpact perform the testing?

SecurityImpact consultant employs both automatic and manual testing. The automatic testing is done with commercial and open source security tools and scripts; the tools will be able to test thousands of published vulnerabilities on all systems, services and applications in a short period of time. Manual testing will be performed to verify and explore the vulnerabilities, and launch in-dept testing derived from the discovered information and verified vulnerabilities. In particular, business logic vulnerability can’t be detected by tools, as the tools does not have the ability to under the logic nor can them explore these vulnerabilities. Manual testing will assess, verify and explore the business logic implemented in the application, specifically, web application, web services and mobile apps.

  • How does SecurityImpact ensure the quality of the vulnerability assessment and penetration testing?

SecurityImpact will assign the consultant to each project based on their skill sets and knowledge, for example, only the consultant with web application security assessment experience will be assigned to perform web application security assessment. Raw test data and test result will be reviewed and verified by a senior consultant to ensure the quality of the testing.

  • What am I getting after the testing?

SecurityImpact will provide a comprehensive report with the following content:

  1. Overview of the project
  2. Information gathered about the client’s technical environment
  3. Summary of Vulnerabilities with risk and impact rating and recommendation
  4. Detail description of each vulnerability including description, risk rating explorability rating, references and step-by-step description of the test procedure (that the client can follow to repeat the same testing)

SecurityImpact will have a meeting with your team to review and discuss the report and the identified vulnerabilities. SecurityImpact can provide the raw test data upon request; however, any review or discussion of  the raw test data requires extra fee.

  • How to engage SecurityImpact to perform the security assessment and penetration testing?

It is easy. You just need to sign the Statement of Work and send it to SecurityImpact. We will gather the information for the testing (e.g. IP address, domain name, testing windows, etc) and schedule the testing as your desired time.