Value

• Become aware of currently known threats in your web application or service.

• The observed issues are listed based on critically to the whole system and with its effect described, allowing for the business to mitigate or accept the risk if desired.

• Verify if the application or service follows best practice.

Deliverables

• A penetration test report of the web application or service with executive summary and a technical section for IT staff and developers. The report documents the observed vulnerabilities and misconfigurations in the system along with recommend remediation actions.

• Debriefing session where the findings are reviewed.

Methodology

Our methodology is inspired by OWASP and NIST’s publications on penetration testing. It is further developed with our knowledge of hacking and identifying attack paths in web applications and services.

We suggest the project be performed as a white-box test, and test both as an unauthenticated and authenticated attacker. As the authenticated attacker, we will test as each role within the system if applicable.

Throughout the test we use a combination of automated scans and creative manual tests based on our knowledge of hacking and web applications and services.

We assess areas such as:

• Access control such as Authentication and Authorization mechanisms

• Identity management

• Session Management

• Error handling

• Use of cryptography

• Input Validation and Sanitization

• Flow in terms of Business Logic

• Information exposure

• Deployment and configuration management

Cyber Security Maturity Assessment

Active Directory Security Analysis

External Penetration Test

Password Security Strengthening

Cloud Security Assessment

Red Team

Workstation and Server Security Assessment

Cyber Security Advisor as a Service

Assume Breach

PCI Penetration Test

Security Assessment of OT Environment

Cyber Security Presentation and Workshop