Vulnerability Assessment and Penetration Testing
Our Vulnerability Assessment Methodology
We primarily follow the Open Web Application Security Project (OWASP) guidelines as a benchmark. However, over time we have developed our own Hybrid Methodology that brings together the best of OWASP, OSSTM, WASC and NIST standards. This hybrid methodology involves a set of comprehensive checks which ensure that no vulnerabilities are missed during testing.
The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found are presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.
Understanding Attack Scenario:
During an attack, an outside party attempts to flood an organization’s systems using a numerous amount of connections to overwhelm the system. Since the hackers can use programs or bots to generate numerous attacks, organizations cannot block just one IP address from shutting down a specific process.
There are three basic categories of attack:
- Volume-based attacks: which use high traffic to inundate the network bandwidth
- Protocol attacks: which focus on exploiting server resources
- Application attacks: which focus on web applications and are considered the most sophisticated and serious type of attacks
Studies agree that providers need more comprehensive cloud security measures to mitigate an attack, such as a DDoS incident. However, organizations should also be aware that the main purpose of an attack is to not just disrupt a system but to steal data as well.
Our methodology is designed to be exhaustive in two dimensions:
- Testing for all known attacks.
- Testing on all possible points of entry (For large applications sample sections may be tested for testing, while solutions need to be applied across the entire application).
We will find logical security flaws that are specific to your application and also the widely popular application security attacks. Thus after subjecting your applications to the rigorous testing, you will know how secure your application is against logical attacks as well as the popular technical attacks both of which are aimed at breaking or circumventing application controls to steal information, gain unauthorized access or perform illegal transactions.
A typical application security test undergoes the following stages:
- Understanding the application e.g SaaS for cloud VAPT
- Identify potential security risk
- Develop test cases
- Execution of Test cases
- Reporting (Findings and their solutions)
- Coordinating with developers to fix the reported findings
- Retesting the application for confirmation of fixes, if required
- More on SOC 2 vs ISO/IEC 27001, 27701 PIMS.
- More on SOC Reporting Services.