Penetration Testing
When you need to know what the security posture of an application or system looks like in the context of how it will be used. These types of engagements are timeboxed, usually on a shorter timeframe, where we look at the target aiming to find vulnerabilities, misconfigurations, and deviations from best practices. Depending on your requirements the methodology of this could range from industry recognised automated testing through to manual testing looking for novel attack vectors.
|
Web Application & API Penetration Testing
We can look at your web application and/or API in the context that they will be used in to ensure that there is a baseline level of security whatever the use-case. We look at all aspects of the target including their infrastructure, frameworks, authentication, authorization, and business logic to find issues which could result in the target being misused or misconfigured.
Mobile Application Penetration Testing (iOS &Android)
While these operating systems provide a good base to build upon, there are some responsibilities which still fall into the realm of the application developer. We can decompile applications to look for ways they can be abused, as well as checking the how they communicate with their server(s) and their security posture exposed to the application.
Desktop Application Penetration Testing
If you have a Windows or Linux application and you need to know that not only is the application itself secure, but also how it interacts with the host operating system, then we can perform an assessment of the application specifically looking at these aspects. If there are specific concerns about the application due to how the application or computer will be used, we can cater the assessment to look at these and provide appropriate recommendations.
Internal Security Reviews
Running and configuring a network which meets all the requirements of your users while still being secure is a challenge. We can start off with an unprivileged or low privileged position on the network and attempt to gain access to critical systems. This can be either through keeping you and your team informed of our actions, or letting the security team simulate their response to an un-planned threat to the network.
External Security Reviews
Almost every business requires an external presence in order to conduct business, be it a public website, a way for users to VPN into the network, a suite of critical applications which absolutely must have some form of internet exposure to support disaster recovery plans, or anything in between. While these are often abused which allows threats into network, we can perform an assessment of these to look for weaknesses before they do.
Kiosk Breakouts
Looking to deploy a kiosk for members of the public to use? We can look at the implementation of it to ensure it’s only going to be used as intended.
Open-Source Intelligence (OSINT)
Businesses frequently disclose breadcrumbs of information which become available on the internet and can be used to gain an insight into internal or otherwise sensitive information. We can look for these breadcrumbs to try find out exactly what is being exposed and provide you with the potential significance of these exposures as well as guide you through the next steps.
Password Cracking
Passwords tread a line between security and usability with more restrictive password policies often frustrating users, leading to poor password hygiene, and weak password policies allowing easy to type, but often weak, passwords to be used. We can take a copy of the password hashes for your employees, anonymise it if required, and attempt to crack these password hashes to look for where password policies can be improved, or more education provided.
WiFi Penetration Testing
WiFi configuration goes well beyond ensuring a strong password is being used with important considerations including making sure that the signal itself is sized appropriately for your building. We can come on-site to look at the WiFi configuration, the characteristics of the signal itself, and the wrap-around processes to ensure that all parts of the implementation are appropriate. We’ll also connect to the WiFi to ensure that each client is properly being isolated from others and check that the network is properly segmented from internal assets.