What we do and how we do it
We perform the security testing of all kinds of IT systems: web applications, mobile applications, custom client-server applications, telephony and VoIP systems, hardware, systems, networks, etc. The goal of a security test is to identify the security vulnerabilities in the system under test, assess their business impact and provide recommendations for fixing them.
In the cource of a project we generally follow these steps:
- Meet the client to define the scope of the test. During this meeting we discuss the functionality of the system/application to be tested, any constraints placed on the test (i.e. systems or functions to be excluded from testing), any specific security concerns the client might have, the involvment of the third parties (whether the application is developed, managed or hosted by third parties), the expected timeframe of the test and the pre-requisites for the test
- Create a proposal or scope document that describes the test to be performed and estimates the time needed to perform the test. The proposal acts as an offer.
- If the client agrees to the proposal, we agree on the dates when the test will be executed. No testing will be performed outside of the allocated timeframe unless otherwise agreed.
- The testing is started at the agreed time. At the time of the test the system under test has to be up and running fully functional. Depending on the nature of the tested system and the wishes of the client the test may be performed on-site or remotely. We request that a contact person from the client side is assigend for the project. We keep the contact person informed regarding the progress of the test and major findings.
- Once the test is completed we create a report. The report contains:
- A Summary describing the scope of the test, the main results and the general assessment of the application security level
- A Findings and Recommendations section listing all security problems identified in the application. Each finding includes the general description of the problem to provide the context, the business impact of the problem, the specific description, including if necessary, the screenshots, code extracts, HTTP request and responses and any other information necessary to understand the problem and identify the component where the problem occurs and recommendations, whenever possible specific to the technology and platform of the application under test
- A Test Log section describing the tests performed. This section provides the deatiled information of how we have executed the test, what tools were used and how and what were the outcomes of the specific tests
- Whenever possible we try to get some feed back from the client regarding the report findings. In particular it is very important to discuss the business impact of the findings, since the client has better understanding of what is and is not important for their business. Providing recommendations also relies on client feedback, since a given recommendation might be impractical to implement in given circumstances, but the client might have viable alternatives.
- If requested by the client we can organize a meeting to discuss the findings of the test with the involved parties (technical team, management, developers, vendors, etc.)