Penetration testing

A penetration test is a targeted attack on one or more systems with the intention of uncovering security vulnerabilities so that these can be fixed and not exploited by a malicious actor.

All systems should go through a penetration test before being released into production for the first time. Additional tests should be run on a regular basis to uncover new vulnerabilities introduced as part of ongoing work. Be aware that a penetration test can never prove the absence of vulnerabilities, it can only document that the techniques and attack vectors used aren't vulnerable.

Bouvet has a dedicated group of people specialized on penetration testing. For more info, please see bouvet.no/cyber.

For projects staffed with developers with a particular interest in security, having an internal penetration testing workshop is recommended. Allocate a full day where the relevant developers are working together trying to attack the system, documenting any weaknesses or defects discovered as part of the process. This is a good exercise both in terms of team-building and also learning more about the system and environment.

Please note; before starting any type of penetration test, the test must be approved by the system owner. This should be in writing, and must also describe the scope, start and duration of the test. Any other affected parties, such as a Security or Network Operations Center should also be notified to avoid interference with the test.