Security Testing

Michael Romain is the Global Practice Director of our security testing practice and has an extensive technical, cybersecurity and management background. He is managing our security testing portfolio and overseeing the integration of new security testing capabilities and teams. . 

Different offensive testing techniques can be used depending on your organization’s security objectives. These techniques range in scope and coverage from initial vulnerability assessments, which have a bigger focus on breadth of coverage, to penetration testing which are a more in-depth examination of specific assets (such as web applications, networks or mobile applications).

Penetration testing then leads onto and forms part of larger, more complex and in-depth attack simulations which span multiple domains of information security (people, process and technology) to identify vulnerabilities across the organization.

A vulnerability assessment is an automated scan that identifies issues using signatures that detect missing patches and out of date operating systems, etc. It can’t catch business logic issues or chain together vulnerabilities to help explain how they can be used for exploitation.

A penetration test is a time restricted, simulated attack against a customer’s systems and applications using the same tools and techniques of real hackers.

Once an organization has created a program of vulnerability assessment and patching, they’re ready to start penetration testing

The BSI Security Testing Maturity Framework (outlined below) can be used to help identify the most effective security testing level for your organization. The framework marries the security maturity of an organization with its appetite for risk to identify the optimal level of testing and provide the best return-on-investment.

The first step on the journey to improving your information security maturity and creates the initial technical baseline from which to build on your security program. Learn more

This level is for organizations with a growing security capability and is looking to identify and achieve security improvements. This should also align with the organization’s risk appetite. Learn more

How well prepared are you and your organization to prevent, detect, respond and recover from an attack? To learn how attack simulation services and red teaming techniques can help build your organization's security posture, watch our three-part webinar series including a unique real-world demonstration.