Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

// what we offer

What is
security testing?

We are able to recognize and assess the security risks and vulnerabilities of your application using a wide range of techniques, such as penetration testing, vulnerability scanning, security code reviews or risk assessments.

We can help to maintain and modernize your IT infrastructure and solve various infrastructure-specific issues a business may face.

// Drop us a line! We are here to answer your questions

Improve Your Development Processes

A few things we’re great at

 
Objective
Objective
Security assessment involves probing applications, operating systems and device configurations with the goal of gaining access to protected data, escalate privileges to restricted resources, modify sensitive data and make inaccessible permanent or temporary data and systems. To eliminate or reduce the risks before the attacker can exploit these weak points it is mandatory to do a security assessment. The security assessment will focus on covering the OWASP Top 10+ vulnerabilities and test each asset against multiple attack vectors to identify unattended threats and verify implemented security measures. The security assessment will offer a broad view of any existing flaws in the system without measuring the impact of these flaws. There are 3 approaches to tackle this assessment: white box, grey box and black box….each of them rely on the level of knowledge the auditor has before starts the assessment. If decided to go with black box approach (that will mean, as less as possible information provided from you before) the time required to find vulnerabilities will be shortened by tasks that involve identification of users, endpoints, application infrastructure, etc.It is recommended to follow the grey box approach, in which the client will provide all user accounts with their passwords, to be able to exercise as much as possible of the functionality exposed by the system. The white box approach means access to source code, but this is required when security in done in parallel with development.
The scope
The scope
The scope of the security assessment could be covered by one or more of the following:
  • Web application vulnerability assessment
  • Penetration testing
  • Infrastructure security assessment
It depends on the client needs and time available for this assessment to choose what to cover. In order to take the right decision about security assessment that is the appropriate one to execute it is better to clarify what security assessment means vs penetration testing and what are the common parts and differences. Vulnerability assessment provides a broad view of any existing flaws in the system without measuring the impact of these flaws to the system under test. The vulnerability assessment process carefully identifies and quantifies all the known vulnerabilities in a non-invasive manner. Penetration testing is considerably more intrusive than the vulnerability assessment and aggressively applies all of the technical methods to exploit the live production environment. A key difference between the vulnerability assessment and penetration testing is that the penetration testing goes beyond the level of identifying vulnerabilities and hooks into the process of exploitation, privilege escalation, and maintaining access to the target system. Depending on the type of assessment being carried out, a unique set of testing processes, tools, and techniques are followed to detect and identify vulnerabilities in the information assets in an automated and/or manual fashion. During the security assessment the Open Web Application Security Project (OWASP) methodology will be applied in order to choose the best strategy and lower the risk to minimum by following well known best practices. OWASP developed OWASP Top 10+ project which categorises the top attack vectors and security weaknesses in relation to their technical and business impact. It will focus on the high risk problem areas rather than addressing all the issues that surround the web application’s security.
Vulnerability assessment
Vulnerability assessment
Vulnerability Assessment - 6 STAGES
  • Target scoping
  • Information gathering
  • Target discovery
  • Enumerating target
  • Vulnerability mapping
  • Documentation and reporting
Penetration testing
Penetration testing - 5 Stages
  • Social engineering
  • Target exploitation
  • Privilege escalation
  • Maintaining access
  • Documentation and reporting

Security assessment approach

High level overview
Hight level overview
  • Collect information about the targeted assets
  • Map identified risk to business and generate a risk rating matrix according to vulnerabilities that can be expoited by threat agents
  • Help identify the vulnerabilities that can lure during developing process or when provisioning the infrastructure
  • Proof of the existence of vulnerabilities that impose a risk to business
  • Put together all information found during assessment
Web application security assessment(pentesting)
Web application security assessment(pentesting)

During this type of assessment we'll comprehensively assess the following: Authentication, Authorisation, Session Management, Data Validation, Transport Security and the Presentation layer.

Goal of this assessment is to identify vulnerabilities that could be present during the security check process and to determine the actual impact and the likelihood of exploitation.

The same methods and tools are used as the ones present in actual online attacks. The target systems of the assessment are typically web servers and web-based business applications, mail servers and other supporting services, security systems in place (firewalls, IPS, etc.), and other publicly accessible services of the organisation.

Vulnerability Assessment
Vulnerability Assessment

During this assessment the application under test will be checked by exposure to malicious code and most common threats which are caused by vulnerabilities or misconfigurations. Automated tools will be used to carry out the activity which uses predefined crafted requests to verify known vulnerabilities.

Infrastructure Security Assessment
Infrastructure Security Assessment

The scope of this assessment type is to identify all security weaknesses in the target environment. This will include:

  • Passive information gathering of publicly available data such as SNA and WHOIS registries
  • Active vulnerability scanning of identified services
  • Active testing of firewalls, routers, internet services like DNS or other filtering devices included in the target range

// Drop us a line! We are here to answer your questions

NEED A CONSULTATION?

Requirements and deliverables

REQUIREMENTS

In order to be able to complete the security assessment it will be required to have covered the following points:

  • A written agreement from the client in which to mention that the client approves doing security assessment on their application /environment
  • Mention the targets in scope(IP’s , domains, servers, etc)
  • Environment should not change during test assessment
  • No other tests should interfere during the ongoing process(for e.g. performance tests, manual or automation tests)
  •  Before the assessment it is recommended to have a backup of data
  • If there are any IDS/IPS/WAF should be configured to not interfere with the assessment
  • Time-frame for the tests need to be established
  • Contact persons that can be reached in case for emergencies during the tests
  • Set rendezvous points over-time (progress status notifications)
  • Deliverables and their level of depth
  • Methodology followed – presented above
  • Tools used – the list of tools depends on the programing language and technology used during application development.
DELIVERABLES

Upon completion of the security test, a detailed report will be provided to the client including the following:

  • Executive summary: a brief explanation of the findings identified during the test, the risk level that vulnerabilities identified applies accordingly to business perspective
  • Findings section with technical explanation of the attacks, payloads used, injection points, proofs of the findings.
  • Details and proposed solutions for each vulnerability identified.

Conclusions and recommendations:

All other data that results during or after the security assessment (for e.g. email correspondence, screenshots, tools logs, logins, passwords, IP addresses, personal data, etc ) will go under non-disclosure clause and data retention for this will be agreed with the client.
Data retention will be made only if the client asks this and, if further assessments will be made or some other investigation will be required otherwise, all the information will be erased after handing over to client.

SECURITY ASSESSMENT COST

The cost of a security assessment / penetration test can vary considerably depending on the project size and what the clients’ scope or objectives are. A more accurate cost can be achieved after quoting each test / activity that need to take place in order to cover client’s objectives.

en_USEnglish