PENETRATION TESTING
Before we send something out into the real world we usually test it, adjust it, and then test it some more. Your security should be no different. By testing and measuring your security system, not only can you identify areas of weakness, you can then proactively prevent attacks before they even begin.
One great way to do this is through Penetration Testing.
Penetration Testing simulates an attack on your system. The idea is to determine where your weaknesses lie and identify any potential damage that would arise as a result of a real world breach.
Just like test driving a car, you want to see what happens when you test the limits on the road, yet do it in a controlled environment.
One of the most common approaches in assessing the security level of an application is to simulate an attacker’s perspective with no prior knowledge on the system, hence “Black Box”. Our team of experts, try different scenarios, attack vectors and utilize hands-on as well as automated attacking techniques in order to gain as much information about the system and eventually uncover its weakest links.
Bypassing business logic at the application level, may allow the attacker to constantly win on a gambling applications, perform unlimited money transfer on banking applications etc. Detecting these types of flaws requires solid experience, creative thinking and strong intuition. Utilizing known vulnerabilities coupled with intelligence gathering capabilities allows our team of white hat hackers exploit systems on different levels.
OUR APPROACH
The Penetration Test can be performed in two methods: Invasive – when trying to exploit any vulnerability (Usually on testing environment), Non-Invasive – Vulnerabilities are only discovered and reported, they are not exploited (Usually on production environment).
Our techniques, tools and methodologies has been developed over thousands of penetration tests. We adhere to industry standards such as the OWASP top 10 as well as business logic-related application flaws that are unique and different to each application. We include all classes of WASC attacks in our tests.
DELIVERABLES
The results of a penetration test are detailed in a comprehensive report that clearly explain where your vulnerabilities are, what the risk to your business is, who may be able to exploit these vulnerability and how to best secure your application.
Our reports are aimed to both non-technical senior executives, focusing on potential risks and probability, as well as to the application developers giving an in-depth explanation regarding the way mitigate risks.
In order enable more effective discussion, and better understanding of software weaknesses detailed in our reports, we care to co correlate each vulnerability to a valid MITRE CWE ID.