Penetration Testing Tools & Pentest Software

Penetration Testing Tools & Pentest Software

Penetration testing tools, including vulnerability scanners, play an important part in our pentesting services, but we should and do not rely on them for everything.
In fact, most of the work we do is manual testing, supported by tools such as Tenable Nessus Pro, Burp Suite, Sonarqube, AppScan and others. We use and develop our own scripts for many purposes and maintain a large toolkit in our repository. The validation of these pentest tool results is done manually by our team.

Specific tasks sometimes have specific tools, and this is why we also use tools such as IDApro for binary analysis, Cloud scanners for checking cloud configurations and CIS baseline scripts to check for compliance against the CIS baselines.

When it comes to hardware and wireless technologies, our lab is equipped with Software Defined Radios (SDR), (de)soldering stations, logic analysers, and a slew of interfaces for testing hardware such as Bus Pirates, Facedancers, JTAGulators and many others.

We like to keep our lab and tools up to date, and are always looking for new and exciting ways to make testing better and more efficient.

What is the best testing frequency? Many organizations settle for yearly assessments, or when major changes are made to applications or infrastructures. Is that enough?

It is becoming more and more common to perform very frequent small incremental updates to applications (when using Agile, DevOps and CD/CI software development models). This makes it necessary to adapt the testing frequency also, and is the reason that Bureau Veritas Cybersecurity also offers Periodical Testing (also known as Continuous Scanning) where applications are first tested manually, then automatically every month, week or biweekly.

Given the frequency, test reports for the automated test will be delta reports, only providing the differences with the previous reports.