Blog

As a penetration tester, few things are more frustrating than firing up Burp Suite, configuring your proxy, and then watching Java applications completely ignore your interception attempts. While web browsers play nice with proxy certificates, Java applications seem determined to make your life difficult.

After nearly a decade of leading penetration testing engagements and growing our team from one tester to 43 professionals, we've learned that the questions you ask during vendor selection can determine whether you'll receive genuine security value and a successful engagement, or just frustrating checkbox exercises.

Anytime you're scrolling through cybersecurity news, you’re likely to come across another headline about a data breach featuring quotes from the latest targeted company explaining why their customers’ personal information is now floating around the dark web. And then that familiar knot in your stomach creeps in asking the same question: "Could this happen to us?"

It's been an exciting past few years for the Schellman penetration testing team. Throughout 2024, our team worked with over 150 clients to support their efforts in securing their businesses. As a lead assessor in the FedRAMP marketplace, Schellman prides ourselves in being able to assess our clients’ systems and helping to identify the vulnerabilities they may have.

Your IoT devices sit on your client’s networks. They may even sit there for years without the ability to obtain software updates. Your clients may even expose these devices directly to the Internet with no network firewall in place. All the same, your clients still expect these devices to always be available and secure. Before deploying these devices, your team should consider a IoT/hardware penetration test. However, before you begin this process, let’s discuss the uniqueness of this style of engagement, followed by traps to look out for when selecting a provider.

In any information security program, mobile applications should be considered for inclusion in penetration tests. No matter the size of an application, it may serve as an avenue of attack against your environment or users and the threat potential of these applications is similar to that of web applications. In fact, some mobile apps are effectively web apps with a wrapper while others utilize a unique frontend, but with a backend web API.

What is the Offensive Security Certified Professional (OSCP) Certification? The Offensive Security Certified Professional certification, or OSCP, is an ethical hacking certification that demonstrates proficiency in penetration testing using Kali Linux tools. This test can be undeniably grueling if you are ill-prepared, with nearly 24 hours of hands-on keyboard hacking followed by another 24 hours of documentation/report writing.

You may feel confident that your organization has a mature cybersecurity program if you’re able to thwart the vast majority of threats through established practices and procedures. However, despite those efforts, even amongst the most secure of organizations there is still the ever-looming threat of the legendary Advanced Persistent Threat (APT). Furthermore and unfortunately, it’s difficult to ascertain if you’ve been compromised by one. Thankfully though, it is possible to simulate an external APT attempting to breach your organization’s perimeter through a red team exercise.