PENETRATION TESTING

WEB

We test web applications using Black Box and Gray Box methodologies.

Test findings are used to create a report, delivered in digital form, including the description and proof of identified vulnerabilities, guidelines aimed at their elimination, and an indication of the potential effects of their use.

The methodology used in the process encompasses the best practices described in „OWASP Testing Guide V4”. tests are performed to detect programming, configuration, and logical errors, most of the time without access to application code or configuration files.

MOBILE

Tests of mobile applications are performed using Black Box and White Box methodology. The audit is intended to check the security of a mobile application, the communication between the application and the backend server, as well as the data stored locally by the application.

In black-box testing, the auditor's initial knowledge of the analyzed application is limited. Test accounts reﬂecting particular authorization levels are created for the time of the audit.

The tests are aimed at detecting programming, conﬁguration, and logical errors related to the operation of the mobile application without access to its initial source code.

The method used in testing includes the veriﬁcation of threats presented in "OWASP Top 10 Mobile Risks". Test ﬁndings are used to create a report, delivered in an electronic form, including the description and proof

of identiﬁed vulnerabilities and guidelines aimed at their elimination.

THICK CLIENT

Testing the thick client application is intended to check security and identify threats related to the software of that type.

The process consists of manual verification of particular vulnerability classes and, if possible, automatic testing, which is run parallelly. The application is subject to both static and dynamic analysis.

Test findings are used to create a report, delivered in an electronic form, including the description and proof of identified vulnerabilities and guidelines aimed at their elimination.

If the thick client application relies on the API service, it too is subject to testing. In this case, our signature expert approach is employed, drawing on best market practices and the OWASP Application Security Verification Standard (ASVS).

TESTING METHODS:

Dynamic tests, for instance, fuzzing, interference in network trafﬁc, veriﬁcation of cryptographic protections, and application debugging.
Checks to operating system components, e.g. reviewing logs, application data, processes, memories, and registry keys related to the application.
Static tests, e.g., reverse engineering, analyzing the delivered binaries.

If the thick client application relies on the API service, it is also subject to testing.

Test ﬁndings are used to create a report, delivered in an electronic form, including the description and proof of identiﬁed vulnerabilities and guidelines aimed at their elimination.

INFRASTRUCTURE

INTERNAL AND EXTERNAL

These consist in testing all the discovered sub-networks of a device in terms of possible vulnerabilities or misconfiguration errors that enable taking control over the component in question. Tests also cover the possibility of performing an effective DoS attack aimed at interrupting the proper functioning of local network hosts. In the event of using switches from a niche manufacturer, it may result in a network failure in the case of performing simple attacks, such as ARP spoofing.

The goal of these tests, above all, is to determine the visibility of hosts with their services which may be subject to an attack by persons with physical access to the network. The general idea behind the tests is to compromise as many network devices as possible.

Infrastructure testing aims to verify the security of services and systems available to the users via the Internet (external) and LAN network (internal).

External infrastructure tests are performed using an expert approach, emulating the best market practices, CIS Security Benchmarks, DISA STIGs, OSSTMM, and PTES.

The procedure consists of automatic testing, whose goal is to identify the most vulnerabilities, and manual verification to confirm the vulnerabilities and their exploitation.

The tests encompass the following activities:

Identification of shared services
Identification of vulnerabilities in detected services
Verification of identified vulnerabilities
Attempts at exploiting identified vulnerabilities (if included in the test scope)