Synetis carries out non-destructive penetration tests (internal, external, application) on various IS components. These tests allow you to simulate the behaviour of a malicious individual, whether or not external to your organization. Each of the identified vulnerabilities is qualified using the CVSS v3 methodology (the Common Vulnerability Scoring System enables the characterization and evaluation of the impact of computer vulnerabilities). An action plan is then proposed at the end of each audit.

The principle of penetration testing (also known as pentest) is to discover vulnerabilities on an audited system and to verify their exploitability and impact, under the real conditions of an attack on the system, instead of a potential attacker.
By way of illustration, during a web application audit (web pentest), the auditors will look for vulnerabilities in the same way as an attacker would. Synetis auditors look for vulnerabilities such as those listed by the Open Web Application Security Project (OWASP).

During internal intrusion tests, Synetis auditors will take the point of view of a malicious individual placed on your premises, on your corporate network (without then with legitimate access, i.e. black box, then grey box). It is also possible to start the audit directly from a corporate workstation. This type of test will make it possible to evaluate the effectiveness of the network and system partitioning, to check the hardening of the resources to which the attacker could have access. Often, these penetration tests take place in a Windows environment.

The growth in recent years in the use of SaaS and Cloud hosting services are particularly interesting targets for attackers, opening new doors from the outside to internal access to the company’s Information System. Recent events have made it all the more urgent for companies to open up new flows from the outside to enable their staff to work remotely: VPN access, remote office access, port opening, and so on. An external penetration test carried out by Synetis is then able to list your system’s vulnerabilities.

Depending on your needs, the methodologies followed can be black box (from the point of view of an unauthenticated attacker), grey box (from the point of view of an authenticated user) or white box (full access to the specifications).