Penetration Testing

PENETRATION TESTING

Know What They Know

Penetration testing provides insight into quantitative security like few other activities can.

While there are very good reasons for statistical approaches to quantifying risk (such as cost-effectiveness!), penetration testing can inform on actual vulnerabilities by leveraging the same tactics, tools and techniques used by threat actors and provide those results directly to the folks who can fix them.

Ethical

We guarantee the trustworthiness of our people and make every effort to treat your data responsibly (end-to-end encryption, two factor authentication, principal of least privilege, etc.)

Comprehensive

Because of the extensive experience of our consultants, we are able to work through your target environment thoroughly and efficiently.

Clear Results

Our deliverables are clean and communicate well. We offer, as a standard component of every engagement, interactive sessions with our consultants to explain findings and recommendations to the satisfaction of your technical teams.

Web Application Penetration

Web applications are critical to businesses, non-profits, NGOs and governments. So many of the ways our lives are streamlined and enriched today are the result of well-crafted web apps. For instance, the ability to order toilet paper on Amazon or even conveniently pay your property taxes and medical bills is the result of web technology.

Web application engineers, system and network administrators, however, are largely driven to create functionality in the shortest possible time frame. Despite their best intentions, they can sometimes miss how functionality can be abused by ill-intentioned individuals to harm the organization. Examples of such abuse abound and include two of the more famous data breaches of the last five years: the Panama Papers Breach and the Equifax breach.

Our web application assessments fall into three categories:

  • Full Knowledge

    These assessments are conducted with full knowledge and participation from the web application, systems, and network engineers of the customer. TVG comes alongside to review the network, system and security architecture, source code, and final product. Assessment results are shared upon confirmation of an issue while recommendations are communicated early and documented for all to see. This is, by far, the best approach to application assessments and provides the most value to the customer.

  • Partial Knowledge

    In this case, the customer shares basic (e.g. lowest privilege level) login information for each major business function of the website, but does not share source code, system,or network architecture information. These tests are often used to assess the security posture of an application written by a third party. They can help quantify risk for the customer and, in many cases, broker conversations with the application author.

  • Zero Knowledge

    As the name suggests, in this case, TVG is presented with a website address (via the engagement waiver) and no other information. There are various reasons why this type of assessment is used that often involve such non-technical drivers as the realities of the client’s interdepartmental politics, etc

Web Penetration Testing: FAQ

We have a ‘web application firewall’ (WAF) Do we still need a web assessment?

WAFs, like their network-based counterparts, provide a valuable measure of protection IF they are configured properly. However, like a network firewall, the danger lies in what they allow to pass through. WAFs don’t automatically adapt to the underlying application and need to be heavily customized to each input screen (and maintained when those screens are updated) to be effective. What usually ends up happening is that WAFs are deployed with default settings, which provide some level of increased security but fail to live up to the full capability of the technology.

Our application is hosted on Amazon (Google Cloud, Azure), and they have really great security. Why would I need a security assessment?

Yes, these providers do have great security. They are, however, providing infrastructure akin to a well-crafted automobile. Think of your web application as the driver of that automobile. If it drives into a wall at 55 miles/hour, the results will be catastrophic.

The applications built on these excellent platforms host your company’s/customer’s data, confidential business processes, and competitive edge. If the application is vulnerable, the underlying platform that ensures its availability to authorized users will not differentiate providing that same availability to unauthorized ones.

I got a (free or low cost) vulnerability scan. Why do I need to spend more money?

You may not. If your website serves primarily as an Internet-accessible brochure, you trust the maintainers to have good backups and you run regular scans to check for new vulnerabilities, then we wouldn’t recommend a security assessment.

If, however, your website provides some important business function, process automation, or customer service –then you probably do. This is why standards like PCI, HIPAA, COBIT, etc. require periodic security assessments. Web applications can be complex and typically involve multiple building blocks not authored by the application creator. With all these additional components and complexity comes inherent risk and an imperative to quantify that risk.

If these assessments are so important, why isn’t there some standard to help people understand the risks?

There is! The Open Web Application Security Project (OWASP) publishes research, training material, and updates on modern web application attack methods and classes of vulnerabilities. TVG uses this, among other sources, to guide our penetration testing activities. Your web application developers can leverage the same resource to inform them of security pitfalls while coding.

Have a Question?

We will be happy to answer any additional questions you might have. Feel free to contact us anytime.

Network Penetration

Network penetration assessments look at part or all of your company’s digital footprint from a ‘hacker’ perspective.

These tests typically include vulnerability scanning, web application penetration, system vulnerability exploits, and data gathering.

In other words, the same activities your environment probably experiences on a daily basis – but with the added advantage of your ability to benefit from knowing exactly where your organization is at risk.

  • Responsible

    Penetration attempts can be risky, whether performed illegally by a bad actor or proactively as a key element to your security strategy. At the Vizius Group, we have processes and procedures in place to make sure that our assessments are done in a responsible manner. From coordinating the activities with your team, agreeing on safety protocols and protecting the data we collect with strong encryption - we handle every engagement with due care.

  • Comprehensive

    Our penetration assessments are conducted by veterans of the industry. We have a body of mature processes to make sure that we provide a comprehensive engagement.

    While no engagement can claim to cover every scenario, we work to provide the best possible overview of your externally facing security posture.

  • Actionable Intel

    Every engagement provides clear and actionable intelligence. We are committed to providing every customer with all of the detail they need to understand the security posture of their organization and the specific steps required to improve it.

Ready To Get Started?

Our cybersecurity experts are ready to help your company prepare for the future and beyond.

Contact
Information

Security Managed.
Back to Business!