Vulnerability Assessment & Penetration Testing
Technology is getting more sophisticated and pervasive across every facet of our personal & professional lives. Everything from corporate IT systems to fridges and wristwatches are now “connected devices” which contain more computing than early space shuttles. The emerging Internet of Things will push an exponential increase in the number of connected devices out there, and the breadth and depth of their reach.
Although application architects & software developers are paying increasing attention to security, we are still seeing a corresponding rise in vulnerabilities emerging every day – new application, network and database vulnerabilities emerge in huge numbers every week. These weaknesses can be exploited by attackers, so to protect your IT infrastructure and safeguard sensitive data it is essential to find and fix them rapidly.
Our Vulnerability Scanning service utilises industry leading scanning technologies to scan your network devices, servers, applications and databases. Provided as an on-demand service, our vulnerability scanning & assessment service requires no purchases of hardware, software or maintenance. This makes this a much more accessible service that any client can sign up for without having to deal with the financial & administrative burden of acquiring these capabilities in-house.
Penetration Testing constitutes that part of a security assessment exercise which attempts to simulate the techniques adopted by an attacker in compromising the target systems. Our penetration testing methodology is carried out in accordance with industry standards and practices, combined with our extensive experience.
Web Application Security Testing
We assess the security of the application by focusing on remotely exploitable vulnerabilities, application architecture, design and implementation. We also assess the controls with respect to user access, privilege levels, development and delivery, and overall design of the applications. This helps to give the total threat profile of your web application environment.
Network Penetration Testing
This type of a penetration test involves identifying the targets through various methods such as Google searches, WHOIS, DNS queries, fingerprinting and identifying vulnerabilities. We then carry out limited exploitation – such as password guessing, directory traversals, file uploads etc. Depending on our engagement brief & sign-off, we can also undertake more invasive exploitation methods such as Denial of Service attacks, Buffer Overflow exploits etc. amongst others.
Automated port scanning, enumeration & fingerprinting
In large and very large networks, what is required is an automated way to periodically scan a large range of IP addresses, determine what ports are open, and attempt to identify the service running on those ports. An important activity is to produce trending analyses reports, which show new IP addresses or new ports that have appeared since the last scan was run. We offer a secure portal to our clients, where they can log in, enter their ranges, run the scans, view the reports and compare with previous scan results.
Risk-based Penetration Testing
It is no longer sufficient to rely solely on tool-based scans. A penetration testing team needs to understand business risks and build test cases accordingly. Whether we’re auditing an ERP system or a mobile app, our first step is to always understand the flow of the application, the business processes around the system, and the associated risks.
Once our automated port scans, enumeration and fingerprinting is complete, we then begin the real audit work by analysing the data we’ve gathered by leveraging our database of test cases combined with our strong understanding of both your business processes and those of others across your industry and of similar application use cases.
This approach can sometimes extend to social engineering, threat modelling and other elements that may not be typical of a traditional penetration test.
If this sounds of interest to you, or if you have any questions about our service please get in contact with us.
- By 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminalsGartnerSecurity & Risk Management Scenario Planning 2020