Penetration Testing
Let us find the weak links in your eCommerce web application.
Your eCommerce business rely’s on a secure Environment. eCommerce threats are evolving daily. Even the most advanced eCommerce platforms are vulnerable to attack. We provide network vulnerability mapping, exploitation attempts, social engineering, and real-time cyber threat analysis for Retail Organization and eCommerce and legal organizations in North America and the Caribbean.
If you sell and ship physical or even digital items, deal with online payments, or store sensitive visitor information? Then you need a pen test.
eCommerce applications usually have back end content management system which allow admins to add, edit or delete products, pricing, offers, shipping rates etc. The back end is usually integrated via an API with re-sellers, content providers, and partners. Having more partners or “connections” leads to more vulnerability. Specialized penetration testing can identify issues specific to eCommerce design, platform weaknesses or third party security issues including mobile payments and integrations with third-party vendors and products.
What Type of Pen Test Does Your Retail Organization or eCommerce website Need?
In general, there are two categories of penetration testing or “pen test” that Retail Organization and eCommerce usually require: customer-driven / compliance-driven, OR penetration tests that attempt to exploit people, process or technology with the objective of breaking into the network and gaining access to digital assets.
Scenario 1 Pen Testing
Customer-Driven or Compliance-Driven
Example: “We have a web application and one of our biggest clients need us to get a 3rd party pen test performed for their risk team”.
This scenario actually describes a vulnerability assessment, followed by a blend of automated and manual pen testing that looks for obvious configuration flaws or vulnerabilities that can be exploited without too much effort. The main goal is to produce a remediation report on the issues that let you harden your website, application or network. This can also be considered a security audit of sorts, particularly when a specific set of metrics are used for compliance measurement (e.g. PCI-DSS compliance) or if we are looking at analyzing the running configuration of a device. CyberHunter will produce a Penetration Test Report and depending on the needs, couple this with an OWASP report (for web apps), a PCI Compliance report (QSA-Certified or Standard), or an ISO27001/2 report for standard-specific requirements.
Pricing for a Type#1 Penetration Test (for a single web application or perimeter device) can be in the range of $1,000 to $5,000 depending on size and scope, and will take approximately 3-5 days.
Scenario 2 Pen Testing
Breach the Network (Red Team Exercise)
Example: “We are looking to test and improve our overall cybersecurity posture and we need an ethical hacker to try to break into our network.”
This scenario describes a more traditional penetration test. This type of pen test (also called a Red Team exercise) simulates an adversarial role and is a far more realistic way to test the security readiness of an organization. This testing covers exploitation attempts against People, Process, and Technology. It can involve a significant amount of social engineering and usually triggers active security controls and countermeasures inside the operating environment. These tests will additionally assess internal Blue Team (the defensive team) responsiveness and/or process in the event of an intrusion detection.
Pricing for a Type#2 Penetration Test (Red Team Exercise) can start in the $5,000 to $15,000 range but this pricing is dependent upon the objectives, methodologies used, and duration of the exercise. Typical penetration testing durations are 3-4 weeks or more, depending on scope, as they can involve significant reconnaissance efforts and exploitation creation.
The right Pen Test can save your Retail Organization or eCommerce website from being the next headline.
PENETRATION TESTING FOR Retail Organization and eCommerce
4 types of eCommerce vulnerabilities you need to know:
- Content management system integration
- Coupon and reward management
- Payment gateway integration
- Order management
Test Evidence and Reporting
The following flavors of testing and reporting are available from CyberHunter:
- Technical Detailed Report
- Executive Briefing
- Remediation Report
- MS Patch Reports
- PCI Compliance
- HIPAA
- SOX
- ISO 27001/2
- OWASP
- Center for Internet Security (CIS)
- US DoD STIG
- NIST CVE
- SANS Policy
CyberHunter can audit network devices as well: Cisco, Juniper, Palo Alto, HP ProCurve, Fortinet, Check Point, WatchGuard, Foundry and many others.