1on1 rozhovor

Penetration testing is an attack carried out in your favor: experts deliberately look for weaknesses before a real attacker finds them. The difference between a hack and a pentest lies in the mandate and consent, but the goal is the same – to uncover and eliminate vulnerabilities. This is explained by Peter D., Vice President of ESET, who outlined why the development company embarked on comprehensive security and what companies take away from the tests.

From products to services: why ESET tests

Approximately fifteen years ago, people at ESET realized that although they develop security products, their own internal security requires systematic attention. A decision was made to simultaneously strengthen the protection of their own infrastructure and build a portfolio of services for customers. This internal “shoemaker’s children” moment thus kicked off security testing for their own products and environment as well.

Services are not the company’s main product line, but they have solid references and experience. The primary market is Slovakia and the Czech Republic, but they are gradually delivering tests to EU countries and beyond. They also collaborate with local partners who assume part of the responsibility for the brand’s quality and reputation.

A pentest is not a hack: systematic weakness assessment

Security testing is a broader term than penetration testing: it is not just about the “first easy catch,” but about systematically searching for vulnerabilities and attempting to demonstrably exploit them. While a hacker reaches for the “lowest-hanging fruit,” a tester is supposed to map the full spectrum of places where weaknesses may be hiding. This includes infrastructure, internal and external applications, and, ultimately, the employees themselves.

Social engineering shows that people tend to be the weakest link. Tests therefore simulate real situations – from fraudulent emails to attempts to push through malicious code. The point is not only to demonstrate a breach but also to spark discussion and raise awareness: nothing is more effective than conversations by the “kitchenette” about how the test turned out.

Stories from the field and what happens after the report

A curious case came from an organization that needed to justify an expensive replacement of an operating system that had long been out of support. The team’s task was to demonstrate that even with existing measures, an unpatched system is a risk that can no longer be ignored. In social engineering, it also happens that employees themselves “help” spread the test code and even request its installation on colleagues’ machines, which faithfully mirrors real attacks.

Pentest reports usually go to the manager responsible for security, developers, and operations; boards often do not concern themselves with technical details. Developers are initially skeptical, but after the findings are explained, they tend to be the most appreciative – they quickly fix bugs and incorporate the lessons into the code. If the results are weak, targeted training follows: from secure development principles to e-learning for regular employees. The best practice is to link the training immediately after the test – motivation and memory of the incidents are strongest then.

1on1 interview

From products to services: why ESET tests

A pentest is not a hack: systematic weakness assessment

Stories from the field and what happens after the report

Peter Dekýš

Recommendation speakers

Kamil Šaško

Olivia Blanchard

Zsolt Bubori

Sivakumar Murugadoss

1on1 interview

From products to services: why ESET tests

A pentest is not a hack: systematic weakness assessment

Stories from the field and what happens after the report

Peter Dekýš

Recommendation speakers

Kamil Šaško

Olivia Blanchard

Zsolt Bubori

Sivakumar Murugadoss

Páčil sa ti článok? Zdieľaj ho a povedz o ňom aj ostatným