A penetration test allows for multiple attack vectors to be explored against the same target. Often it is the combination of information or vulnerabilities across different systems that will lead to a successful compromise. While there are examples of penetration testing that limit their scope to only one target via one vector (example, a web application pen test conducted only from the point of view of the Internet browser), their results should always be taken with a grain of salt: while the test may have provided valuable results, its results are only useful within the same context the test was conducted. Put another way, limiting scope and vector yields limited real-world understanding of security risk.
While a QPT may involve use of automated tools and process frameworks, the focus is ultimately on the individual or team of testers, the experience they bring to the test, and the skills and wherewithal they leverage in the context of an active attack on your organization. This can’t be over-emphasized. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies are often vulnerable to the unique nature of the human mind, which can think laterally and outside of the box, can both analyze and synthesize, and is armed with motive and determination.
WEB Application Security
More than half of all breaches involve web applications — yet less than 10% of organizations ensure all critical applications are reviewed for security before and during production.
The web application security service focuses on websites as specified by the customer. This service is designed to analyze web applications and web servers to determine vulnerable areas where an attack might occur. Detailed QPT reports provide a breakdown of risk levels for the identified vulnerabilities discovered on each URL scanned. Reports also provide recommendations for remediating or mitigating identified issues.