We perform the security testing of all kinds of IT systems: web applications, mobile applications, custom client-server applications, telephony and VoIP systems, hardware, systems, networks, etc. The goal of a security test is to identify the security vulnerabilities in the system under test, assess their business impact and provide recommendations for fixing them. Read more about how we work...
What we do and how we do it
We perform the security testing of all kinds of IT systems: web applications, mobile applications, custom client-server applications, telephony and VoIP systems, hardware, systems, networks, etc. The goal of a security test is to identify the security vulnerabilities in the system under test, assess their business impact and provide recommendations for fixing them.
In the course of a project we generally follow these steps:
- Meet the client to define the scope of the test. During this meeting we discuss the functionality of the system/application to be tested, any constraints placed on the test (i.e. systems or functions to be excluded from testing), any specific security concerns the client might have, the involvement of the third parties (whether the application is developed, managed or hosted by third parties), the expected timeframe of the test and the pre-requisites for the test
- Create a proposal or scope document that describes the test to be performed and estimates the time needed to perform the test. The proposal acts as an offer.
- If the client agrees to the proposal, we agree on the dates when the test will be executed. No testing will be performed outside of the allocated timeframe unless otherwise agreed.
- The testing is started at the agreed time. At the time of the test the system under test has to be up and running and fully functional. Depending on the nature of the tested system and the wishes of the client the test may be performed on-site or remotely. We request that a contact person from the client side is assigned for the project. We keep the contact person informed regarding the progress of the test and major findings.
- Once the test is completed we create a report. The report contains:
- A Summary describing the scope of the test, the main results and the general assessment of the application security level
- A Findings and Recommendations section listing all security problems identified in the application. Each finding includes the general description of the problem to provide the context, the business impact of the problem, the specific description, including if necessary, the screenshots, code extracts, HTTP request and responses and any other information necessary to understand the problem and identify the component where the problem occurs and recommendations, whenever possible specific to the technology and platform of the application under test
- A Test Log section describing the tests performed. This section provides the detailed information of how we have executed the test, what tools were used and how and what were the outcomes of the specific tests
- Whenever possible we try to get some feed back from the client regarding the report findings. In particular it is very important to discuss the business impact of the findings, since the client has better understanding of what is and is not important for their business. Providing recommendations also relies on client feedback, since a given recommendation might be impractical to implement in given circumstances, but the client might have viable alternatives.
- If requested by the client we can organize a meeting to discuss the findings of the test with the involved parties (technical team, management, developers, vendors, etc.)
Web Application Security Testing
Web applications are usually the most exposed part of an organization's IT infrastructure. Being custom-developed often makes web applications vulnerable to attack. Processing valuable business data and tapping into back end systems makes them an entry point into the company IT system. Thus securing web applications is an important task in overall security program of any organization.
We offer web application security testing and security code review services.
A security test simulates an attack on a web application and aims at discovering as many security problems in the application as possible. The test is usually performed both from a perspective of an external unauthenticated attacker and from a perspective of an authorized but malicious user. A source code review supplements a security test allowing to discover less obvious bugs, find all occurrences of a given problem within the code base and give better advice to the application developers.
For web application security tests we follow OWASP Application Security Verification Standard. Depending on the customer's requirements, we can offer Level 1, Level 2 or Level 3 testing as definded in the standard.
For source code reviews due to different technologies used in various applications it is difficult to provide a specific methodology. The general approach used is as follows:
- Understand the business purpose of the application and potential security risks from business point of view. This step requires a demo of the application with an explanation of how it is used.
- Understand the code structure. This step requires a walk-through of the source code identifying and describing the main units (i.e. packages, classes, etc.)
- Identify application entry points where the user-supplied data enters the application flow.
- Trace the data flow through the application and document the implemented logic. This step usually allows identifying business logic problems
- Check “known dangerous” operations (file uploads, file handling, SQL operations, encryption and signature verification, etc.) This step usually allows to identify “technical” security bugs, such as SQL injection, directory traversal, etc.
- Check for technology-specific problems. This depends on frameworks and technologies in use.
At the end of the assignment a meeting with the developers will be organized to explain and discuss the discovered problems and the ways to avoid them.
As a result of a web application security test and/or code review we deliver a report consisting of the following parts:
- Summary. The first part will contain a high-level overview of the work that was performed and the most important issues which were identified.
- Findings and recommendations. This is the most important part of the report, listing all discovered security problems (ranked according to their perceived severity). For each listed issue, recommendations are included that provide guidance on how the issue could be address or mitigated.
- Detailed test results. The final report part provides a detailed technical overview of the tests which were executed, together with the outcome of these tests. Inclusion of the detailed list of tests together with the outcome allows independent test validation.
The report will be delivered in electronic format, using the Adobe Acrobat (PDF) format.
Mobile Applications Security Testing
With more than 10 years of combined experience in mobile application security testing at Gremwell, we have audited a fair share of mobile applications implementations on both iOS and Android. We follow OWASP Mobile Security Verification Standard and can provide Level 1 and Level 2 verification based on customer requirements.
Internal and External Network Testing
The objective of such test is to cover as much ground as possible. We do not target the weakest point like in a red team exercise, but we target all systems that are in-scope and review each and every identified service.
External testing includes full network scans over both IPv4 and IPv6, automated vulnerability scans, transport security assessment, and a thorough review of each identified service. If our customers request it, we can demonstrate identified vulnerabilities exploitability
Internal testing includes assessing network access controls (e.g. 802.1x, MAC filtering), taking traffic captures for extended period of times, layer 2 attacks identification (e.g. DHCP snooping, ARP poisoning, HSRP hijacking), full network scans over both IPv4 and IPv6, automated vulnerability scans, transport security assessment, and overall network design audit.
As part of internal testing, we can also audit wireless security by performing wireless surveys of our customer's sites, including active attacks against wireless clients.
We have worked within a large variety of networks, from traditional corporate networks to advanced telecom infrastructure.
All our work is performed in coordination with our customers to make sure we do not impact business availability.
When it comes to red teaming, we first have an in-depth discussion with our customer in order to understand their business and what's the most important assets they have to protect.
We also cover recent threats the organization or its overall sector faced over the last months to get an idea of the general threat landscape.
We then define what kind of intrusion techniques we are allowed to use (e.g. physical intrusion, phishing, social engineering, network intrusion).
Based on the customers alloted time and initial discussion, we build a scenario detailing the attackers capabilities, main objective, and secondary objectives.
Once our customer signed up on the proposed scenarios, we start the execution. We follow the unified intrusion kill chain steps, using tools, tactics, and procedures matching the attackers capabilities defined in the scenario. We refer ourselves to MITRE's ATT&CK if we are tasked with emulating a specific threat group.
Telephony and VoIP Security Testing
We have developed in-depth knowledge of telephony and VoIP networks thanks to our long term partnerships with large telecommunications companies.
Our telephony and VoIP audits can include:
- transport security assessment - we verify whether or not communication channels are protected from active eavesdropping
- network security assessment of VoIP networks, including IP phones and all components in between
- IP phone auto-provisioning security assessment
- VoIP oriented security testing to make sure your network is not vulnerable to known attacks (e.g. caller ID spoofing, registration hijacking, toll fraud)
Want to see how we work ? Take a look at our recent security audit of DTLS-SRTP.
Hardware Security Testing
Parts of our workforce come from the embedded development engineering field and we apply that experience to execute in-depth hardware security reviews. We have executed these tests against a wide range of targets: from media sharing devices to networking equipment deployed in highly secure environments.
These reviews can include:
- verifying physical anti-tampering mechanisms robustness (protection seals, anti-tampering switches)
- documenting components on the board
- identifying debug ports left by manufacturers
- analyzing the device's behavior against physical fault injections
- performing software fuzzing through physical interfaces (e.g. USB protocol, serial protocols)
- extracting firmware from memory (either logical extraction via debug ports or physical extraction through chip de-soldering)
- review secure boot implementations
Whether it is to pass a compliance audit, gain knowledge into what your competitors or adversaries could extract from your devices, or making sure attackers cannot compromise your devices through physical means, our audits got you covered. This is usually executed hand-in-hand with a software security review of firmware running on analyzed devices.
Custom Applications Security Testing
We have experience testing various complex custom system consisting of multiple software and hardware components. Some of the examples of the systems we tested:
- An IoT device, that is initially configured over Bluetooth link from a mobile app, and receives firmware updates and configuration changes over a WiFi connection from a remote server. All parts of the system were in scope of the test.
- An entry/exit control system interacting with sensors and scanners locally and cloud infrastructure over the Internet
- A desktop application, web application and a set of web services used for document workflow management
- A mobile application, mobile friendly web interface and a set of web-based services for ad-hoc audio and video conferencing and messaging
Secure Mobile Development
With more than 10 years of combined experience in mobile application security testing at Gremwell, we have audited a fair share of mobile applications implementations on both iOS and Android. Over the years, some pattern started emerging and we finally decided this year to document everything in dedicated courses for iOS and Android developers.
While the Android course is still in development, we are ready to teach the iOS course. You can find all the details here.