PENETRATION TESTING

WEB

We test web applications using Black Box and Gray Box methodologies.

Test findings are used to create a report, delivered in digital form, including the description and proof of identified vulnerabilities, guidelines aimed at their elimination, and an indication of the potential effects of their use.

The methodology used in the process encompasses the best practices described in „OWASP Testing Guide V4”.  tests are performed to detect programming, configuration and logical errors, most of the time without access to application code or configuration files.

MOBILE
 

Tests of mobile applications are performed using Black Box and White Box methodology.The audit is intended to check the security of mobile application, the communication between the applicationand the backend server, as well as the data stored locally by the application.

In black-box testing, the auditor's initial knowledge on the application being analyzed is limited. Test accounts reflecting particular authorization levels are created for the time of the audit.

The tests are aimed at detecting programming, configuration and logical errors related to the operation of the mobile application without access to its initial source code.

The method used in testing includes the verification of threats presented in „OWASP Top 10 Mobile Risks”. Test findings are used to create a report, delivered in an electronic form, including the description and proof

of identified vulnerabilities and guidelines aimed at their elimination.

THICK CLIENT

Testing the thick client application is intended to check security as well as identify threats related to software of that type.

The process consists of manual verification of particular vulnerability classes and, if possible, automatic testing which is run parallelly. The application is subject to both static and dynamic analysis.

Test findings are used to create a report, delivered in an electronic form, including the description and proof of identified vulnerabilities and guidelines aimed at their elimination.

If the thick client application relies on the API service, it too is subject to testing. In this case our signature expert approach is employed, drawing on best market practices and the OWASP Application Security Verification Standard (ASVS).

Testing methods:

  • Dynamic tests, for instance fuzzing, interference in network traffic, verification of cryptographic protections, application debugging.

  • Checks to operating system components, e.g. reviewing logs, application data, processes, memories, and registry keys related to the application.

  • Static tests, e.g. reverse engineering, analyzing the delivered binaries.

If the thick client application relies on the API service, it subject to testing as well.

Test findings are used to create a report, delivered in an electronic form, including the description and proof of identified vulnerabilities and guidelines aimed at their elimination.

INFRASTRUCTURE

INTERNAL AND EXTERNAL

These consist in testing all the discovered sub-networks of a device in terms of possible vulnerabilities or misconfiguration errors that enable taking control over the component in question. Tests also cover the possibility of performing an effective DoS attack aimed at interrupting proper functioning of local network hosts. In the event of using switches from a niche manufacturer, it may result in a network failure in case of performing simple attacks, such as ARP spoofing.

The goal of these tests, above all, is to determine the visibility of hosts with their services which may be subject to an attack by persons with physical access to the network. The general idea behind the tests is to compromise as many network devices as possible.

Infrastructure testing aims to verify the security of services and systems available to the users both via the internet (external), as well as LAN network (internal).

External infrastructure tests are performed using an expert approach, emulating the best market practices, CIS Security Benchmarks, DISA STIGs, OSSTMM, PTES.

The procedure consists of automatic testing, whose goal is to identify the most vulnerabilities, as well as manual verification aimed at confirming the vulnerabilities and their exploitation.

The tests encompasses the following activities:

  • Identification of shared services

  • Identification of vulnerabilities in detected services

  • Verification of identified vulnerabilities

  • Attempts at exploiting identified vulnerabilities (if included in the test scope)