What Are the Steps for Migrating Our Website from Joomla to TYPO3 and What Are the Associated Costs?

Introduction

Penetration testing — the practice of ethically attempting to exploit vulnerabilities in a system to identify security weaknesses before malicious actors do — is one of the most valuable investments a Swiss business can make in its security posture. For businesses that handle customer data, process payments through Twint or PostFinance, or operate critical digital infrastructure, regular penetration testing is increasingly expected by enterprise customers, required by compliance frameworks, and demonstrably effective at finding real vulnerabilities. In this article, we explain what penetration testing involves, how to approach it, and what Swiss businesses should look for when commissioning a test.

Problem

Many organisations have significant security vulnerabilities that they are unaware of — and the consequences of discovering them through an actual attack are far more severe than finding them through a controlled test.

Unknown Vulnerabilities

• Automated security scanning catches common, well-known vulnerability patterns but misses complex logical vulnerabilities, business logic flaws, and multi-step attack chains.
• Developers are focused on building features — security considerations are easy to overlook, particularly in complex integrations with third-party services.
• Vulnerabilities in older code are often not revisited as the application evolves, leaving security debt that accumulates undetected.

Compliance Requirements

• Enterprise customers increasingly require suppliers to demonstrate annual penetration testing as a condition of contract.
• PCI DSS compliance (relevant for businesses processing payment card data alongside Twint and PostFinance) requires regular penetration testing.
• The Swiss FADP's requirement for "appropriate technical measures" to protect personal data is increasingly interpreted to include regular security testing for businesses processing significant volumes of personal data.

Solution

A well-scoped penetration test conducted by qualified professionals provides an objective assessment of your actual security posture.

1. Types of Penetration Testing

• Web Application Penetration Test: Focuses on vulnerabilities in web applications and APIs — the most relevant type for most Swiss businesses with an online presence. Tests for OWASP Top 10 vulnerabilities and application-specific issues.
• Network Penetration Test: Assesses the security of network infrastructure, firewall configurations, and exposed services.
• Social Engineering Assessment: Tests employees' susceptibility to phishing and other social engineering attacks.
• Red Team Exercise: A comprehensive, unannounced simulation of a real-world attack that tests both technical and human defences.

2. Black Box, Grey Box, White Box

• Black box: The tester has no prior knowledge of the system — simulates an external attacker. Finds externally exploitable vulnerabilities but may miss internal threats.
• Grey box: The tester has partial knowledge (e.g. a regular user account) — typically provides the most useful findings for the cost.
• White box: The tester has full knowledge of the system, including source code — the most comprehensive but also most expensive approach.
• For most Swiss SMEs commissioning their first penetration test, a grey box web application test provides excellent coverage and value.

3. Scope Definition

• Define the scope precisely before the test begins: which URLs, APIs, and IP addresses are in scope; which are explicitly out of scope; and what testing techniques are permitted.
• For Swiss businesses integrating Twint or PostFinance, clarify with your payment provider what testing is permitted against their integration points.
• Include a clear rules of engagement document that defines what happens if a critical vulnerability is discovered mid-test.

4. Choosing a Penetration Testing Provider

• Look for OSCP, CREST, or equivalent certifications as evidence of technical competence.
• For Swiss businesses with data protection considerations, Swiss or EU-based providers with explicit FADP/GDPR compliance processes are preferable.
• Require a detailed written report covering all findings, their severity, evidence of exploitation, and clear remediation recommendations.
• A reputable provider will include a remediation verification re-test in their standard offering.

Benefits

Regular penetration testing delivers significant security and business benefits.

• Discovery of real, exploitable vulnerabilities before they are found by malicious actors.
• Objective evidence of security posture for enterprise customers, insurers, and compliance auditors.
• Actionable, prioritised remediation guidance that enables focused security investment.
• Security awareness benefit for development teams who review and address findings.
• Demonstrable compliance with FADP "appropriate technical measures" requirements.

Practical Example

A Swiss fintech processing CHF payments via PostFinance commissioned its first grey box web application penetration test. The test identified a critical BOLA (Broken Object Level Authorisation) vulnerability that allowed any authenticated user to view any other user's transaction history by modifying a user ID in an API request. It also identified four high-severity and twelve medium-severity findings. All critical and high findings were remediated within two weeks. The test cost CHF 12,000 and the BOLA vulnerability, if exploited, could have resulted in an FADP data breach notification affecting 45,000 customers — a cost vastly exceeding the test investment.

Conclusion

Penetration testing is one of the most cost-effective security investments available to Swiss businesses with an online presence. The cost of finding and fixing a critical vulnerability through a controlled test is a fraction of the cost of responding to an actual breach — in incident response, regulatory reporting, customer communication, and reputational damage. Swiss businesses that process personal data or payment information should treat annual penetration testing as a standard operational expense, not an optional security luxury.