We are able to recognize and assess the security risks and vulnerabilities of your application using a wide range of techniques, such as penetration testing, vulnerability scanning, security code reviews or risk assessments.
We can help to maintain and modernize your IT infrastructure and solve various infrastructure-specific issues a business may face.
A few things we’re great at
ObjectiveSecurity assessment involves probing applications, operating systems and device configurations with the goal of gaining access to protected data, escalate privileges to restricted resources, modify sensitive data and make inaccessible permanent or temporary data and systems. To eliminate or reduce the risks before the attacker can exploit these weak points it is mandatory to do a security assessment. The security assessment will focus on covering the OWASP Top 10+ vulnerabilities and test each asset against multiple attack vectors to identify unattended threats and verify implemented security measures. The security assessment will offer a broad view of any existing flaws in the system without measuring the impact of these flaws. There are 3 approaches to tackle this assessment: white box, grey box and black box….each of them rely on the level of knowledge the auditor has before starts the assessment. If decided to go with black box approach (that will mean, as less as possible information provided from you before) the time required to find vulnerabilities will be shortened by tasks that involve identification of users, endpoints, application infrastructure, etc.It is recommended to follow the grey box approach, in which the client will provide all user accounts with their passwords, to be able to exercise as much as possible of the functionality exposed by the system. The white box approach means access to source code, but this is required when security in done in parallel with development.
The scopeThe scope of the security assessment could be covered by one or more of the following:
- Web application vulnerability assessment
- Penetration testing
- Infrastructure security assessment
Vulnerability assessmentVulnerability Assessment - 6 STAGES
- Target scoping
Documentation and reporting
Penetration testing - 5 Stages
- Social engineering
- Target exploitation
- Privilege escalation
- Maintaining access
- Documentation and reporting
Security assessment approach
Hight level overview
- Collect information about the targeted assets
- Map identified risk to business and generate a risk rating matrix according to vulnerabilities that can be expoited by threat agents
- Help identify the vulnerabilities that can lure during developing process or when provisioning the infrastructure
- Proof of the existence of vulnerabilities that impose a risk to business
- Put together all information found during assessment
Web application security assessment(pentesting)
During this type of assessment we'll comprehensively assess the following: Authentication, Authorisation, Session Management, Data Validation, Transport Security and the Presentation layer.
Goal of this assessment is to identify vulnerabilities that could be present during the security check process and to determine the actual impact and the likelihood of exploitation.
The same methods and tools are used as the ones present in actual online attacks. The target systems of the assessment are typically web servers and web-based business applications, mail servers and other supporting services, security systems in place (firewalls, IPS, etc.), and other publicly accessible services of the organisation.
During this assessment the application under test will be checked by exposure to malicious code and most common threats which are caused by vulnerabilities or misconfigurations. Automated tools will be used to carry out the activity which uses predefined crafted requests to verify known vulnerabilities.
Infrastructure Security Assessment
The scope of this assessment type is to identify all security weaknesses in the target environment. This will include:
- Passive information gathering of publicly available data such as SNA and WHOIS registries
- Active vulnerability scanning of identified services
- Active testing of firewalls, routers, internet services like DNS or other filtering devices included in the target range
// Drop us a line! We are here to answer your questions
NEED A CONSULTATION?
Requirements and deliverables
In order to be able to complete the security assessment it will be required to have covered the following points:
- A written agreement from the client in which to mention that the client approves doing security assessment on their application /environment
- Mention the targets in scope(IP’s , domains, servers, etc)
- Environment should not change during test assessment
- No other tests should interfere during the ongoing process(for e.g. performance tests, manual or automation tests)
- Before the assessment it is recommended to have a backup of data
- If there are any IDS/IPS/WAF should be configured to not interfere with the assessment
- Time-frame for the tests need to be established
- Contact persons that can be reached in case for emergencies during the tests
- Set rendezvous points over-time (progress status notifications)
- Deliverables and their level of depth
- Methodology followed – presented above
- Tools used – the list of tools depends on the programing language and technology used during application development.
Upon completion of the security test, a detailed report will be provided to the client including the following:
- Executive summary: a brief explanation of the findings identified during the test, the risk level that vulnerabilities identified applies accordingly to business perspective
- Findings section with technical explanation of the attacks, payloads used, injection points, proofs of the findings.
- Details and proposed solutions for each vulnerability identified.
Conclusions and recommendations:
All other data that results during or after the security assessment (for e.g. email correspondence, screenshots, tools logs, logins, passwords, IP addresses, personal data, etc ) will go under non-disclosure clause and data retention for this will be agreed with the client.
Data retention will be made only if the client asks this and, if further assessments will be made or some other investigation will be required otherwise, all the information will be erased after handing over to client.
The cost of a security assessment / penetration test can vary considerably depending on the project size and what the clients’ scope or objectives are. A more accurate cost can be achieved after quoting each test / activity that need to take place in order to cover client’s objectives.