We perform the security testing of all kinds of IT systems: web applications, mobile applications, custom client-server applications, telephony and VoIP systems, hardware, systems, networks, etc. The goal of a security test is to identify the security vulnerabilities in the system under test, assess their business impact and provide recommendations for fixing them. Read more about how we work...
What we do and how we do it
We perform the security testing of all kinds of IT systems: web applications, mobile applications, custom client-server applications, telephony and VoIP systems, hardware, systems, networks, etc. The goal of a security test is to identify the security vulnerabilities in the system under test, assess their business impact and provide recommendations for fixing them.
In the course of a project we generally follow these steps:
- Meet the client to define the scope of the test. During this meeting we discuss the functionality of the system/application to be tested, any constraints placed on the test (i.e. systems or functions to be excluded from testing), any specific security concerns the client might have, the involvement of the third parties (whether the application is developed, managed or hosted by third parties), the expected timeframe of the test and the pre-requisites for the test
- Create a proposal or scope document that describes the test to be performed and estimates the time needed to perform the test. The proposal acts as an offer.
- If the client agrees to the proposal, we agree on the dates when the test will be executed. No testing will be performed outside of the allocated timeframe unless otherwise agreed.
- The testing is started at the agreed time. At the time of the test the system under test has to be up and running and fully functional. Depending on the nature of the tested system and the wishes of the client the test may be performed on-site or remotely. We request that a contact person from the client side is assigned for the project. We keep the contact person informed regarding the progress of the test and major findings.
- Once the test is completed we create a report. The report contains:
- A Summary describing the scope of the test, the main results and the general assessment of the application security level
- A Findings and Recommendations section listing all security problems identified in the application. Each finding includes the general description of the problem to provide the context, the business impact of the problem, the specific description, including if necessary, the screenshots, code extracts, HTTP request and responses and any other information necessary to understand the problem and identify the component where the problem occurs and recommendations, whenever possible specific to the technology and platform of the application under test
- A Test Log section describing the tests performed. This section provides the detailed information of how we have executed the test, what tools were used and how and what were the outcomes of the specific tests
- Whenever possible we try to get some feed back from the client regarding the report findings. In particular it is very important to discuss the business impact of the findings, since the client has better understanding of what is and is not important for their business. Providing recommendations also relies on client feedback, since a given recommendation might be impractical to implement in given circumstances, but the client might have viable alternatives.
- If requested by the client we can organize a meeting to discuss the findings of the test with the involved parties (technical team, management, developers, vendors, etc.)
Web Application Security Testing
Web applications are usually the most exposed part of an organization's IT infrastructure. Being custom-developed often makes web applications vulnerable to attack. Processing valuable business data and tapping into back end systems makes them an entry point into the company IT system. Thus securing web applications is an important task in overall security program of any organization.
We offer web application security testing and security code review services.
A security test simulates an attack on a web application and aims at discovering as many security problems in the application as possible. The test is usually performed both from a perspective of an external unauthenticated attacker and from a perspective of an authorized but malicious user. A source code review supplements a security test allowing to discover less obvious bugs, find all occurrences of a given problem within the code base and give better advice to the application developers.
For web application security tests we follow OWASP Application Security Verification Standard. Depending on the customer's requirements, we can offer Level 1, Level 2 or Level 3 testing as definded in the standard.
For source code reviews due to different technologies used in various applications it is difficult to provide a specific methodology. The general approach used is as follows:
- Understand the business purpose of the application and potential security risks from business point of view. This step requires a demo of the application with an explanation of how it is used.
- Understand the code structure. This step requires a walk-through of the source code identifying and describing the main units (i.e. packages, classes, etc.)
- Identify application entry points where the user-supplied data enters the application flow.
- Trace the data flow through the application and document the implemented logic. This step usually allows identifying business logic problems
- Check “known dangerous” operations (file uploads, file handling, SQL operations, encryption and signature verification, etc.) This step usually allows to identify “technical” security bugs, such as SQL injection, directory traversal, etc.
- Check for technology-specific problems. This depends on frameworks and technologies in use.
At the end of the assignment a meeting with the developers will be organized to explain and discuss the discovered problems and the ways to avoid them.
As a result of a web application security test and/or code review we deliver a report consisting of the following parts:
- Summary. The first part will contain a high-level overview of the work that was performed and the most important issues which were identified.
- Findings and recommendations. This is the most important part of the report, listing all discovered security problems (ranked according to their perceived severity). For each listed issue, recommendations are included that provide guidance on how the issue could be address or mitigated.
- Detailed test results. The final report part provides a detailed technical overview of the tests which were executed, together with the outcome of these tests. Inclusion of the detailed list of tests together with the outcome allows independent test validation.
The report will be delivered in electronic format, using the Adobe Acrobat (PDF) format.
Mobile Applications Security Testing
Internal and External Network Testing
Telephony and VoIP Security Testing
- transport security assessment - we verify whether or not communication channels are protected from active eavesdropping
- network security assessment of VoIP networks, including IP phones and all components in between
- IP phone auto-provisioning security assessment
- VoIP oriented security testing to make sure your network is not vulnerable to known attacks (e.g. caller ID spoofing, registration hijacking, toll fraud)
Hardware Security Testing
- verifying physical anti-tampering mechanisms robustness (protection seals, anti-tampering switches)
- documenting components on the board
- identifying debug ports left by manufacturers
- analyzing the device's behavior against physical fault injections
- performing software fuzzing through physical interfaces (e.g. USB protocol, serial protocols)
- extracting firmware from memory (either logical extraction via debug ports or physical extraction through chip de-soldering)
- review secure boot implementations
Custom Applications Security Testing
We have experience testing various complex custom system consisting of multiple software and hardware components. Some of the examples of the systems we tested:
- An IoT device, that is initially configured over Bluetooth link from a mobile app, and receives firmware updates and configuration changes over a WiFi connection from a remote server. All parts of the system were in scope of the test.
- An entry/exit control system interacting with sensors and scanners locally and cloud infrastructure over the Internet
- A desktop application, web application and a set of web services used for document workflow management
- A mobile application, mobile friendly web interface and a set of web-based services for ad-hoc audio and video conferencing and messaging