A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The National Cyber Security Center describes penetration testing as the following: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."
The goals of a penetration test vary depending on the type of approved activity for any given engagement with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor and informing the client of those vulnerabilities along with recommended mitigation strategies. Penetration tests are sometimes a component of a full security audit. For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule.
As a Four51 "distributor" customer, your largest and most security-conscious customers (what we call Buyers) are more likely to request a pen test.
If your customer informs you that they intend to conduct a pen test, use the Storefront Pen Test Application form to relay the request to Four51. You can submit the form through the case system. Four51's Infrastructure-as-a-Service provider requires 5 business days' notice of a pen test, so please plan accordingly. The purpose of the form is to ensure a successful test. It is possible to conduct a pen test without our knowledge or yours, but Four51 will not respond to test findings if the test fails to comply with our process.
The test itself may be conducted against Four51's Test or Production environments, but most testers prefer the Production environment.
Once the tester publishes the pen test findings, please send a full copy in pdf format to Four51. Normally, findings are ranked and sorted by perceived severity, e.g. High, Medium, Low, Informational. Professional, thorough tests will also include details on each finding: how to replicate, recommended remediation techniques, relevant references to security community postings (ex. OWASP), and estimated development time for the recommended remediation.
Four51 charges a flat fee of $10,000 per test for a comprehensive analysis and remediation recommendations for all findings. Delivering the analysis requires multiple meetings of Four51's Security, Architecture and Advanced Tech teams. Once all follow-up questions are answered, normal delivery time is 3-5 weeks. Please note:
As part of ongoing security compliance, Four51 contracts with a 3rd-party to conduct an annual pen test. You are welcome to share summary results of the most recent test with your client. There is no charge for this service.
If you have any questions, please submit a case.