Globally, 30,000 websites are hacked daily and 64% of companies worldwide have experienced at least one cyber attack. If you collect data via your website, for example, consultations, e-commerce, and health data, then security is an issue that can’t be ignored.
A penetration test (or pen test) helps to identify potential security vulnerabilities and show where attackers could attempt to gain access to confidential data.
Studio 24 is a Cyber Essentials Plus accredited agency, and we take data privacy seriously. We advise clients on how best to process data online and we implement best practices to ensure data security.
When we build a website that processes personal data, we can arrange for a pen test with our trusted partner Zoonou. We first started working with Zoonou in 2019, as a QA testing partner.
Zoonou provides an independent and impartial evaluation of the security controls we implement. Their detailed reports give our development team clear, actionable insight to strengthen security and improve the resilience of a website before launch.
What is a pen test?
A penetration test, or pen test, is an ethical cybersecurity assessment where specialists safely attempt to “break into” a website. The assessment is designed to simulate real-world attacks to uncover security gaps or vulnerabilities that could be exploited.
Importantly, a pen test doesn’t mean a website is insecure. It means you’re taking a proactive approach to understanding and improving its security.
When might you need a pen test?
Not every website requires penetration testing. Many brochure-style websites with no data capture or user interaction may not require formal penetration testing. But it becomes increasingly important when a site:
- collects personal data through forms
- handles user accounts or login areas
- processes payments
- support critical services or public-facing digital platforms.
How to choose a penetration testing provider?
When selecting a penetration testing provider, it’s important to look for independence, recognised standards, and clear, actionable reporting.
We recommend choosing a provider accredited by recognised frameworks such as CREST or CHECK. These certifications demonstrate that testing methodologies and processes are independently assessed and meet established industry standards.
Finally, a good provider should offer clear reporting with prioritised findings, practical remediation guidance, and follow-up retesting to confirm that any issues have been resolved.
Zoonou build fresh perspectives into their testing; this is why we’ve chosen them as our testing partner.
Our penetration testing approach is designed to replicate the techniques used by real attackers, in a controlled and methodical way. By combining certified expertise with recognised industry frameworks, we’re able to uncover vulnerabilities that aren’t always visible during development and provide practical guidance to resolve them.
What happens in a pen test?
During a pen test, specialist security testers use their experience, creativity, and technical expertise to safely simulate real-world attacks. The aim is to ethically identify and exploit potential flaws or misconfigurations in an application before they can be discovered by malicious actors.
Testing is guided by recognised frameworks such as the OWASP Top 10, a globally established benchmark for the most common and critical web application security risks.
The outcome is a detailed, encrypted report that outlines any vulnerabilities identified, their potential impact, and clear, prioritised recommendations for remediation.
Case study: prioritising security for an online consultation website
We designed and built a bilingual consultation portal for Democracy and Boundary Commission Cymru that makes complex boundary changes clear and gives the public a simple way to respond.
As a public sector organisation that was collecting personal data from consultation respondents, the client wanted peace of mind that the portal we were building was secure.
Zoonou carried out pen testing for both the English and Welsh language versions of the consultation portal. The test included the public-facing section of the website, where data is collected, and the back-end administration tools.
The results of a pen test are provided in an extensive report, where any potential issues are ranked in order of severity from ‘critical’ to ‘raised for reference’.
There were no critical issues with this project. A technical summary provided our developers the information they needed to remedy a handful of issues that had been raised. These amendments were then retested, and a retest report confirmed that the website was secure to launch.
PEN testing is a specialist skill, and we are grateful to Zoonou for their expertise in this area. It gives our clients and us that extra level of reassurance that the website we have built will protect personal data and keep the hackers out.