Protect your data with a cybersecurity expert
I'm Romain Garcia, and with 8 years' experience, I'm here to help you identify and correct vulnerabilities in your system or website.
Validates expertise in ethical penetration testing, to identify and fix vulnerabilities in IT systems.
Demonstrates advanced skills in finding and exploiting vulnerabilities in Web applications.
How do I carry out your security audit?
Carrying out a security audit is a crucial step in ensuring that your information system or web application is protected against potential vulnerabilities and cyber-attacks. Here's how I carry out this essential task:
-
Together, we define your target, your needs and the approach that best suits you (Blackbox, Greybox, Whitebox).
-
Together, we sign a contract and a mandate for testing on the defined target for a specific period and date.
-
I carry out the penetration test following the methodologies recommended by OWASP.
-
I present you with my audit report in a videoconference, detailing the vulnerabilities discovered and the solutions for correcting them
Serious and professional
"Kriptown called on Romain as part of a security / pentest audit of our platform. The service was carried out with excellence and we were delighted to work with someone as serious and professional as Romain. There's no doubt that we'll call on you again if we ever need services in this area."
Quality of the final report
"Prismea, a neobank for professionals, had the pleasure of collaborating with Romain for a complete security audit of the platform (AWS, APIs, ...). The collaboration with Romain and our teams was excellent throughout the mission. What's more, the quality of the final report is beyond reproach: in English, details of weaknesses, recommendations, best practices, alternatives, etc. As a Leader, I would recommend Romain to anyone wishing to have their platform audited or perform Pentests."
Quality work
"Romain carried out a pentest mission for one of our customers. He produced quality work and the pentest report was clear and exhaustive. I recommend working with Romain as he is very professional!"
My audit methodology
To make my security audits as reliable and accurate as possible, I rely on industry standards, and in particular on OWASP recommendations and methodologies. I carry out numerous manual tests, and also use a number of specialized security tools to automate and deepen certain tasks.
1. Reconnaissance
I'm looking for public information about you and the target.
This enables me to fully understand the target and its environment, and to check whether sensitive data about you is available on the Internet and/or the darknet.
2. Mapping
I study in detail the operation of the target application or system and its environment. I precisely list the different functionalities and services available.
This enables me to see the whole picture, so that I can allocate my time efficiently.
3. Discovery
This is where I'll really look for vulnerabilities on the target application or system. I won't exploit them in depth, however, as I may run out of time to discover other vulnerabilities.
So I'll identify as many as possible and exploit them in the next phase.
4. Exploitation
I'm really going to exploit the vulnerabilities I discovered in the previous phase.
I'll be able to assess the impact they may have, so as to be able to advise you as best I can. It may also enable me to discover other vulnerabilities.
The different approaches to pentesting
There are generally three approaches, each with its own advantages and disadvantages
Blackbox
-
Actual conditions
-
No specific information provided
-
Evaluation at a specific point in time
-
Technical exchanges possible
-
Allows you to assess your level of security at a specific point in time
-
Perfect for a first audit
Greybox
-
Information communicated (specific user access, technical documentation, etc.)
-
Allows you to better assess the impact of vulnerabilities
-
Covers a larger part of the application
-
More in-depth technical discussions
-
Perfect for going further than a blackbox audit
Whitebox
-
Very precise and exhaustive information provided (administrator account, source code, etc.)
-
Discovery of vulnerabilities that would have been very difficult to detect by more conventional means
-
Perfect for covering a complex application or system
Results presentation
In the interests of transparency and efficiency, it's vital to understand how the results of your safety audit are structured and communicated. Here's a detailed overview of what's included in the safety audit report, and how we present it to you and support you through the next steps.
What does my security audit report contain?
-
All identified vulnerabilities sorted by criticality, as well as items discovered during the reconnaissance phase.
-
For each vulnerability, you'll find a description of the type of vulnerability and its implications.
-
This is followed by technical details enabling you to understand and reproduce the vulnerabilities discovered.
-
For each element, I'll suggest ways of correcting it.
How do we proceed?
-
I'll e-mail you to let you know that the audit is over.
-
We agree to meet by videoconference.
-
I present the security audit report.
-
After the presentation, I send you the audit report securely.
-
If you wish, we can schedule a phase to verify the corrections applied.
A free discovery audit*
Would you like to find out more about my services?
I offer you a free*, no-obligation discovery audit of your website until June 30, 2024.
What's in it for you?
-
A quick diagnosis of your website
-
Get an idea of the security status of your platform
-
If vulnerabilities are discovered, you'll already be able to correct them
-
You'll know if a more extensive audit is required
What does this serviceinclude?
-
A quick one- or two-hour penetration test
-
The same methodology as a standard audit
-
The same tools are used
-
You will receive an audit report
-
A presentation of the results will be made by videoconference
* Free, no-obligation audit until June 30, 2024 reserved for professionals, limited to one service per customer and subject to availability.
Questions fréquentes
How much does a security audit cost?
The cost of a pentest depends on several factors, such as the complexity and size of the system to be tested, the type of pentest (black box, white box, grey box), and the duration and depth of the test. We offer customized quotes after assessing your specific needs to provide you with an accurate estimate, but the average budget is between €1,500 and €4,500 excluding VAT.
How do you choose which test methods to apply?
Test methods are chosen according to the customer's specific objectives, the environment to be tested and the most relevant threat types. We use a combination of automated and manual testing, including black box, white box and grey box techniques.
What is the result of a pentest?
The result of a pentest is a detailed report that includes the vulnerabilities discovered, an assessment of their severity, and recommendations for their mitigation. This report helps organizations understand their security posture and take corrective action.
Is a pentest really necessary for my small/medium-sized business?
Yes, whatever the size of your business, you are likely to be the target of cyber attacks. A pentest can reveal unexpected vulnerabilities in your security system and help you correct them before they can be exploited by attackers. This can not only protect your critical assets and data, but also boost your customers' confidence in your ability to protect their information.
How can I justify the cost of a pentest to my management?
You can justify the cost of a pentest by highlighting the return on investment in terms of preventing financial losses due to data breaches, protecting corporate reputation and regulatory compliance. A pentest can also be seen as insurance against the much higher costs associated with a successful cyber attack, including fines, legal damages, and loss of customer confidence.
How long does a safety audit last?
The duration of a pentest can vary according to the complexity of the system under test, the scope of the objectives and the methods used. In general, a pentest can last from a few days to several weeks, with an average of around three days.
What kinds of organizations need cybersecurity and pentesting services?
All organizations that depend on information technology for their operations can benefit from cybersecurity and pentesting services. This includes businesses of all sizes, governments, financial institutions, healthcare facilities, and more.
How can I prepare for a pentest?
To prepare for a pentest, make sure all stakeholders are informed of the exercise, clearly define the scope of the test, back up your important data and provide the pentest team with the necessary access.
How often should I carry out a pentest?
We recommend carrying out a pentest at least once a year, or whenever you make significant changes to your IT system. This may include adding new applications, modifying your network infrastructure or following a merger/acquisition.
How are pentest results communicated?
The results of a pentest are usually communicated in the form of a detailed report that includes an overview of the vulnerabilities identified, an impact analysis, and recommendations for mitigation. We also offer a debriefing session, usually by videoconference, to discuss the results, clarify any questions and help plan next steps to improve your security.
Contact me
Do you have any questions or would you like to request a pentest? Please do not hesitate to contact me.