Penetration Testing Assessments
Penetration Testing, also known as ethical hacking, is conducted to determine the true risk of vulnerabilities identified through exploitation by attempting to gain root or administrator-level access to the target systems or other trusted user account access. Level of effort options include Rapid Testing, which is limited to the use of automated tools, and Advanced Testing, which includes both automated tools as well as manual testing. During this process, the same tools and methods that hackers would use are utilized to gain control or access of systems and information that are to be protected. After manual verification of the information from the testing, we provide a mitigation plan to secure the network and prevent the information from being accessed.
- Internal Penetration Test (Rapid/Advanced)
Confirm and determine the true risk of vulnerabilities from the internal view of the network
- External Penetration Test (Rapid/Advanced)
Confirm and determine the true risk of vulnerabilities from the external, or public facing, view of the network.
Web ApplicationTesting
Testing targeted to the application and hosting environment utilizes automated application security tools to evaluate the strength of an application and provide a high-level view of the application’s security posture by using pre-programmed attacks against the environment. The tools used can identify basic attack vectors, specific to internet applications, for serious problems such as Cross-Site Scripting, SQL Injection and web server configuration vulnerabilities. We also provide manual testing of the site using various methods including the manipulation of HTTP traffic through a browser such as Firefox or Internet Explorer as well as through proxy tools. Testing will allow consultants to fully understand the functionality of the site as well as attempt to detect and exploit various deficiencies with the application logic. Types of vulnerabilities to be tested may include, but are not limited to: Cross Site Scripting, Injection Flaws, Web Server Security, Logic Flaws, Weak Input Validation, Cross-Site Request Forgery, Improper Error Handling, Weak Session Management, Insecure Information Handling, Weak Encryption, Improper Privilege Separation, Privilege Escalation, Cross-Account Access
Application security code review services offer line-by-line inspection of the application to determine any security flaws or backdoor that is left into the application. An application security code review is designed to highlight potential security vulnerabilities within the application based upon a defined application threat-model. Our approach to Application Security Code Review typically involves the following steps:
Threat Modeling – High level threat model is designed with the coordination of development team which helps us understand the applications functionality and existing security threats. Risks identified in the Threat model tell us which code to look at first and deepest.
Automation – Use automated tools to assess the code for semantic and language security bugs and optimize the search for vulnerabilities like Cross Site Scripting (XSS), Injection flaws, File Canonicalization and other vulnerabilities that require extensive labor.
Manual Validation – Manual validation of significant issues is done and conducted in line-by-line inspection of the application code to find logical errors, insecure use of cryptography, insecure system configurations, and other known issues specific to the platform (e.g. buffer overflow etc.).
|
