Is the AppCheck service a "penetration test"?
AppCheck is an automated Web Application and Infrastructure vulnerability scanner. The type of scanning it performs is normally referred to as "Dynamic Application Security Testing (DAST)" - the dynamic part indicates that it tests a live, running instance of an application, in contrast to offline static analysis of source code, which is an alternative form of testing. The dynamic testing of a live web application or service does make AppCheck similar in many ways to a manual penetration test. Additionally, AppCheck as a service has been designed and developed by experienced penetration testers: however it is not directly equivalent to a manual penetration test, which is conducted by a human. The AppCheck offering is slightly different to a penetration test in that it offers much greater scalability and speed of testing than a human tester, but it can lack human awareness of context in some circumstances, so the two offerings (vulnerability scan and penetration test) are typically seen as complimentary - i.e. both should be performed - rather than directly comparable substitutes or competititors with one another.
Can AppCheck as a company provide penetration testing?
Although it is not a key part of our service offering, we are able to offer penetration testing services via contracted consultants on an on-demand basis, yes. This is not a core offering.
Whether you need a penetration test in addition to your AppCheck vulnerability scanning depends upon your exact requirements, which we are happy to discuss with current and prospective clients.
Where can I find more information?
If you have not previously engaged a penetration testing company, or may be unclear on your exact requirements, then we would encourage clients looking into penetration testing to consider getting hold of a copy of the CREST Penetration Test Procurement Buyers' Guide (https://www.crest-approved.org/wp-content/uploads/PenTest-Buyers-Guide.pdf) which can be useful in explaining the options for penetration testing, when it might be appropriate, and the criteria to use in order to select a penetration testing provider appropriate to your organisation's unique requirements.
We would also encourage you to contact your account manager to discuss options further, or for new customers to contact us via our website at www.appcheck-ng.com