F.A.Q

 

u

Passive reconnaissance phase

The auditor collects and uses public information in order to establish the cartography of the Information System, without direct interaction with the latter.

u

Active reconnaissance phase

The pentester uses scanning techniques to actively discover exposed services and interfaces. This phase also makes it possible to validate the information collected passively.

u

Conduct of an audit

An initiation meeting makes it possible to identify the needs and scope of the mission, as well as any constraints.

A legal mandate between the different parties is published in order to frame the audit service of DSecBypass.

The consultant in charge of the mission can be reached at any time during its execution and informs the customer in the event of a critical discovery.

u

What is pentesting, and what is it for?

A penetration test, also known as a pentest, is a controlled simulation of a computer attack designed to identify security flaws in a system, network or web application.
The aim is to detect and correct vulnerabilities before a hacker can exploit them.
Pentests enable companies to strengthen their cybersecurity, comply with regulatory standards (RGPD, ISO 27001, PCI-DSS, DORA, NIS2) and protect their sensitive data. It’s also a good way of increasing the cyber maturity of technical teams by involving them in restitutions.

u

What's the difference between a black-box, gray-box and white-box penetration test?

In cybersecurity, the methodology of a penetration test (or pentest) can vary according to the amount of information provided to the auditor prior to the audit. There are three main approaches:

  • Black Box testing

    • The pentester receives no prior information about the targeted system.

    • The audit simulates a real external attack, carried out by a hacker who discovers everything for himself.

    • Objective: to assess the resistance of systems exposed to the Internet and measure the risk of intrusion without internal access.

  • Grey Box test

    • The pentester haspartial information (limited user access, network diagrams, documentation).

    • The audit simulates an attacker who already has limited access or internal information, such as a malicious employee.

    • Objective: to verify internal security and the ability to contain an attack in the event of an initial compromise.

  • White box test

    • The pentester has full access to all information: source codes, configurations, administrator accounts.

    • The audit is exhaustive, enabling the detection of deep-seated vulnerabilities invisible in a more limited test.

    • Objective: carry out a complete security audit for accurate diagnosis and rapid remediation.

u

Penetration testing methodologies

The work of the auditors is based on the following public and internal standards :

  • Good practices specific to the technologies encountered
  • TOP10 OWASP and OWASP ASVS
  • SANS Top 20 critical controls
  • Guides and best practices from ANSSI
  • DSecBypass Expertise
u

Why perform a pentest?

The pentest is complementary and essential to the security measures already implemented in the Information System. It makes it possible to validate the security of the audited perimeter from an offensive point of view.

u

Deliverables

The report includes a summary of the results as well as the details of the vulnerabilities (CVSS score, impact, references) and recommendations identified.

The optional technical restitution is an opportunity for the consultant to present his approach and his results in an interactive way, and to discuss with the client and his teams on the action plan to be implemented.

Also on option, a managerial restitution makes it possible to address an executive audience.

u

What's the difference between internal and external penetration testing?

  • External penetration test Carried out from the Internet, it simulates an attack by an external cybercriminal. It evaluates perimeter security (web servers, firewalls, web-accessible applications).

  • Internal intrusion test Carried out from inside the network, it simulates a malicious employee or an intruder who already has physical or logical access. It can also be carried out from the Internet with nomadic access, to simulate the compromise of a remote access.
    The two approaches complement each other to obtain a complete view of the attack surface and the real risks.

u

Is a penetration test legal in France?

Yes, provided it is authorized and governed by a contract signed between the service provider and the customer.
Unauthorized pentesting is a criminal offence (article 323-1 of the French Penal Code).
Companies must therefore ensure that the test is carried out by a qualified service provider, in compliance with current legislation and standards.

DSecBypass systematically issues a mandate, an additional document that provides a legal framework for presales.