PENETRATION TESTING
WEB
We test web applications using Black Box and Gray Box methodologies.
Test findings are used to create a report, delivered in digital form, including the description and proof of identified vulnerabilities, guidelines aimed at their elimination, and an indication of the potential effects of their use.
The methodology used in the process encompasses the best practices described in „OWASP Testing Guide V4”. tests are performed to detect programming, configuration, and logical errors, most of the time without access to application code or configuration files.
MOBILE
Tests of mobile applications are performed using Black Box and White Box methodology. The audit is intended to check the security of a mobile application, the communication between the application and the backend server, as well as the data stored locally by the application.
In black-box testing, the auditor's initial knowledge of the analyzed application is limited. Test accounts reflecting particular authorization levels are created for the time of the audit.
The tests are aimed at detecting programming, configuration, and logical errors related to the operation of the mobile application without access to its initial source code.
The method used in testing includes the verification of threats presented in "OWASP Top 10 Mobile Risks". Test findings are used to create a report, delivered in an electronic form, including the description and proof
of identified vulnerabilities and guidelines aimed at their elimination.
THICK CLIENT
Testing the thick client application is intended to check security and identify threats related to the software of that type.
The process consists of manual verification of particular vulnerability classes and, if possible, automatic testing, which is run parallelly. The application is subject to both static and dynamic analysis.
Test findings are used to create a report, delivered in an electronic form, including the description and proof of identified vulnerabilities and guidelines aimed at their elimination.
If the thick client application relies on the API service, it too is subject to testing. In this case, our signature expert approach is employed, drawing on best market practices and the OWASP Application Security Verification Standard (ASVS).
TESTING METHODS:
-
Dynamic tests, for instance, fuzzing, interference in network traffic, verification of cryptographic protections, and application debugging.
-
Checks to operating system components, e.g. reviewing logs, application data, processes, memories, and registry keys related to the application.
-
Static tests, e.g., reverse engineering, analyzing the delivered binaries.
If the thick client application relies on the API service, it is also subject to testing.
Test findings are used to create a report, delivered in an electronic form, including the description and proof of identified vulnerabilities and guidelines aimed at their elimination.