Get in Touch

CONTACT US

Overview

IT SECURITY ASSURANCE

Timely identification, assessment, and management of security risks associated with business applications, networks, mobile devices and related technology environments enable enterprise stakeholders to address emerging threats while maintaining compliance with applicable regulations, legislative requirements and industry standards. Proactive remediation of security design flaws and IT control weaknesses in the business system becomes paramount, thereby preventing customer lawsuit, legal penalties, regulatory fines and loss of reputation.

Organizations require best in class technology, robust processes and a technical specialist that empower business owners to continuously innovate and focus on the core business without compromising on security.

  • Adherence to Industry Standards and Frameworks
  • Certified & Highly Skilled Resources
  • Security Control Assurance
  • Reduced Zero False Positives
  • Information Protection

Security assurance is the foundation enterprises need to build for determining trustworthiness of features, practices, processes, procedures and architecture of the information system. Security Assurance Services assist clients across a wide range of industry verticals in determining the compliance level of the technical security controls with applicable regulations, legislative and standard requirements such as PCI DSS, UK DPA, HIPAA and ISO 27001.

Technical Security Assessments comprise vulnerability assessments and penetration testing of all the system components that include business applications, databases, secure network perimeters, systems and network infrastructure, mobility solutions and virtualized cloud environments for global client base.

Untitled-5 copy

Offerings

Infrastructure Penetration Testing

System & infrastructure network vulnerability assessment and penetration test is crucial to demystify the security exposures that are used to launch a cyber-attack through the internet. The security assessment of internet facing system or internal network test helps discover the vulnerable network services that can be exploited by unknown threat sources.

Phase 1- Profiling & Discovery: This stage involves use of several scanning tools to identify live hosts and active services that include network mapping, banner grabbing, operating systems fingerprinting, service identification, protocol discovery and supported versions.

Phase 2- Infrastructure Security Assessment: Assessment stage involves automated scanning of vulnerabilities in network services, information systems and perimeter security controls by enterprise class tools with most updated feeds. In addition, manual assessments help verify the automated scan results to eliminate false positives.

Phase 3- Infrastructure Vulnerability Exploitation: This stage uses the information gathered on active ports and services with the related vulnerabilities to safely exploit the services exposed. Attack scenarios for production environment will use a combination of exploit payloads in strict accordance with agreed rules of engagement.

Phase 4- Reporting: All exploitable security vulnerabilities in the target system are recorded with associated CVSS v2 based scores are reported to the client. The identified security vulnerability is assessed thoroughly and reported along with appropriate recommendation or mitigation measures.

Phase 5- Remediation Consultation & Reassessment: Remediation consultation involves assisting the client’s platform team to remediate all reported infrastructure security vulnerabilities. After remediation, a reassessment will be conducted to validate the effectiveness of the IT control counter-measures used in mitigating the reported security vulnerabilities.

Application Penetration Testing

Application penetration testing services is a blend of automated and manual technical security assessment approach to identify all the common vulnerabilities indicated by OWASP (Open Web Application Security Project) standard and all the other leading industry frameworks.

The application security assessment service offering covers web applications, web services and thick client applications.

Phase 1- Application Profiling: In this stage, profiling of the target web application is performed by identifying user entry points, understanding the core security mechanisms employed by the application, interfaces to external or internal applications, identifying roles with varying trust levels and determining the data flow path with indication on privilege boundaries.

Phase 2- Automated Application Security Scanning: Automated application vulnerability scanners (i.e. commercial and open-source) are used to scan for application specific vulnerabilities covering all OWASP, WASC and SANS references.

Phase 3- Application Vulnerability Determination: This phase involves a complete hybrid approach of identifying the web application security vulnerabilities with automated tools and scripts along with manual assessment to eliminate false positives and negatives. Manual assessment uses various vulnerability databases to identify vulnerabilities that were missed during automated scans, in addition to security verification of business logic flaws, broken access controls and more.

Phase 4- Application Vulnerability Exploitation: The primary focus in this phase is on using manual security testing techniques to exploit the systems that include several exploits to assess the application hardening measures, cryptography issues, authentication & authorization controls, session management module, business logic flaws and various validation measures. Attack scenarios for production environment will use a combination of exploit payloads in strict accordance with agreed rules of engagement.

Phase 5- Reporting: All exploitable security vulnerabilities in the target web application are recorded with associated CVSS v2 based scores and are reported to the client. The identified security vulnerability is assessed thoroughly and reported along with appropriate recommendation or mitigation measures.

Phase 6- Remediation Consultation & Reassessment: Remediation consultation involves assisting the client’s platform team to remediate all reported application security vulnerabilities. Post remediation, a reassessment will be conducted to validate the effectiveness of the application security countermeasures used in mitigating the reported security vulnerabilities.

Mobile Application Testing

Mobile native application penetration testing services is a blend of automated and manual technical security assessment approach to identify all the common vulnerabilities indicated by OWASP standard and all other leading industry frameworks.
The mobile native application security assessment service offering covers installable applications on various mobile platforms such as Android, iOS, Windows and BlackBerry.

Phase1- Mobile Application Profiling: In this stage, profiling of the target native application is performed by identifying user entry points and understanding the core security mechanisms employed by the application.

Phase 2- Automated Vulnerability Scanning: Automated mobile native application vulnerability scanners (i.e. commercial and open-source) and customized assessment scripts are used to scan for native application specific vulnerabilities covering all OWASP and SANS references.

Phase 3- Mobile Application Vulnerability Determination: This phase involved a complete hybrid approach of identifying the mobile native application security vulnerabilities with automated tools and scripts along with manual assessment to eliminate false positives and negatives.

Manual assessment covers a wide range of security checks on the installation package, files on local file system, insecure file permissions, native application authentication & authorization constraints, business logic flaws, client-side injections, server-side validation of input data on native application, replay attack vulnerabilities, secure transfer of sensitive information and error handling & session management methods.

Phase 4- Mobile Application Vulnerability Exploitation: The primary focus in this phase is on using manual security testing techniques to exploit the mobile native application on the respective platform that includes several exploits to assess the mobile native application hardening measures, business logic flaws and various validation measures in addition to the list of security vulnerabilities determined from the previous stage.

Phase 5- Reporting: All exploitable security vulnerabilities in the target mobile native application are thoroughly assessed, and recorded with associated risk ratings and reported to the client with an appropriate recommendation or mitigation measure.

Phase 6- Remediation Consultation & Reassessment: Remediation consultation involves assisting the client’s platform team to remediate all reported mobile native application security vulnerabilities. Post remediation, a reassessment will be conducted to validate the effectiveness of the mobile application security control countermeasures used in mitigating the reported security vulnerabilities.

Secure SDLC Consulting

We provide end-to-end application security solution for web applications, thick client applications and mobile native applications by embedding security controls at every stage of the software development life cycle as listed below:

Security Advisory service: Delivered during the requirements definition phase involves conducting a gap analysis of application artifacts against security requirements based on the applicable legislative and regulatory requirements, to ensure that security has been designed and implemented throughout the development lifecycle. Suitable counter-measures to mitigate security design flaws and threats for securing web applications with reference to OWASP, WASC, SANS security programming guidelines is recommended.

Security Configuration review: Security configuration of system covers the adequacy of device security and application security policy enforcement that includes use of unapproved applications, patching and updates, access control configuration, cryptography implementation, restriction on removable media or wireless connections, storage media containerization and relevant security settings for device hardening. Technical security standards compliance testing will be covered under configuration review, which covers adherence to the security guidelines mandated by PCI Data Security Standard (PCI DSS), UK Data Privacy Act (DPA) and other applicable regulatory and legislative requirements.

Threat Modeling service: Delivered during the design phase involves understanding of the application functionality with entry points in web platforms, followed by defining attack vectors to cover all possible scenarios and attack surfaces such as exposed API’s, malicious users, third party components and services, web browsing ad content handlers. Threat modelling enables developers to identify the most credible threats that have the greatest potential impact to web applications. Web Application Security assessment methodology adheres to Microsoft Developers Network (MSDN) guidelines.

Secure Code Audit service: Delivered post the development phase involves code crawling activity followed by a combination of detailed automated scan and manual code review. This comprises data flow analysis, control flow analysis, taint analysis and permission analysis to identify business logic flaws, security design flaws and code level flaws or vulnerable code that lead to several application security vulnerabilities covered under OWASP Source Code Flaw Categories, CERT, SANS, and MSDN Secure Coding Standards.

Secure Code re-mediation: Post testing phase involves reviewing the code fixes after penetration testing and helping the development team towards mitigating the same.

Resources

Contact us contact us