Security Assessment Services

Today, the majority of software applications are delivered via web applications.  We help organizations increase their web application defenses against cyberattacks through ethical security exploitation.

• -A web application penetration test focuses on assessing the security of web applications. This includes analyzing the web application for known vulnerabilities according to the OWASP 10 and SANS Top 25, before attempting to exploit the identified vulnerabilities to assess the risk posed.

• -The methodologies used for testing include Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM) and Penetration Testing Execution Standard (PTES).

A mobile application penetration test is similar to a web application penetration test. Mobile application vulnerabilities include sensitive data leakage, insecure communication and insecure storage of data on the mobile devices itself.

• -The methodologies used for testing include Open Web Application Security Project (OWASP), OWASP Mobile Security Testing Guide (MSTG Pre-release), Open Source Security Testing Methodology Manual (OSSTMM) and Penetration Testing Execution Standard (PTES).

When performing an internal network penetration test, we attempt to escalate privileges and gain access to all systems and devices as agreed to prior to testing.

• -An internal network penetration test helps to assesses the current state of internal IT systems and network connected devices.
• -The methodologies used for testing include Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM) and Penetration Testing Execution Standard (PTES).

An external network penetration test assesses the security of your internet-facing infrastructure. Every organization has devices that are exposed to the internet.

• -During an external network Penetration Test, we discover and attempt to exploit vulnerabilities that could affect your systems that are exposed to the internet.

• -The methodologies used for testing include Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM) and Penetration Testing Execution Standard (PTES).

As the number of web applications in your organization increases, keeping them organized is critical to proper security hygiene. We perform a thorough discovery and classify assets using dynamic tagging to organize host assets by role to the business.

• -Visually map every web application on the network.
• -Details each device by OS, ports, services and certificates.
• -Helps to continuously monitor your client-facing web applications keeping you in control of security.
• -Application discovery and cataloging – We find new and unknown web applications across your network.

We efficiently scan for web application vulnerabilities
everywhere.  Monitor your perimeter for unexpected changes.

• -Web application Vulnerability scanning. Detect OWASP Top 10 risks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection. Then we prioritize them and focus on the issues that will have the most impact.
• -Includes web  applications on the perimeter and internal networks, and elastic cloud networks (Amazon, Azure, Google).
• -Incorporated penetration testing data keeps web application testing data in one place for integrated analysis.
• -Results provide accurate, prioritized actionable results.
• -Provides continuous insight into your organization’s ongoing attack-surface and associated risk/liability.
• -Website Malware Monitoring. Includes continuous Malware detection that finds hidden malware before it attacks users visiting your websites/web applications.  Protect your organization’s reputation and your users security by rooting out malicious code and content that’s been hidden in your website or applications. Advanced behavioral analysis helps identify even zero-day malware that eludes anti-virus and anti-spyware packages.

Running regularly scheduled web application scans helps to identify the highest risks to the business using trend analysis, zero-day and patch impact predictions.

• -Our experience and knowledge helps put critical issues into context.
• -We help you spot trends, see what’s changed since the last scan and accurately predict which hosts are at risk…even for zero-day attacks.

We monitor the life-cycle of your web application vulnerabilities and help manage the
remediation process.

• -Our service helps keep your team focused on core-competency & revenue generating activities.
• -We assign remediation tickets and manage exceptions.
• -Provide lists of patches by priority for each host and we help manage exception process.

We provide comprehensive
role-based progress reports that document progress for IT, business executives and auditors.

• -Our service provides context & insight, not just a data dump.
• -Continuous monitoring and insight into on-going progress with your organization’s risk management program.

We help manage & reduce risk by finding the official and “unofficial” devices that may be hiding in your environment. We provide quick and accurate visibility into vulnerabilities across your organization.  As the number of devices in your organization continues to rise, keeping them organized is crucial to proper security hygiene. 

• -Visually map every device and application on the network.
• -Identify which OS, ports, services and certificates are on each device.
• -Details each device by OS, ports, services and certificates.
• -Device discovery and cataloging – we find new and unknown devices across your network.
  
• -Continuously monitor your perimeter for unexpected changes.
• -Assign a business impact to each asset.
• -Dynamically tag assets to automatically categorize hosts.

We scan for vulnerabilities everywhere, accurately and efficiently.  We automatically update vulnerability statuses to provide you with key information about what issues are new, ongoing and fixed. And with Progressive Scanning, we provide even better coverage over multiple scans, enabling continuous testing of your web applications.

• -Includes devices and applications on  perimeter and internal
  networks, and elastic cloud networks (Amazon, Azure, and Google).
• -Includes scalable, high-accuracy progressive
  scanning that saves time and keeps focus
  on what matters most.
• -Authenticated scanning available to automatically log in to test like a real user.
• -Scanning tools support Selenium to enable
  complex authentication or workflow sequences for better scan coverage.
• -Access to scheduled and on demand scanning services. 

Identify the highest business risks & manage those risks using trend analysis, Zero-Day and patch impact predictions.   We scan and analyze OS and application configurations on each target host.

• -Track vulnerabilities as they appear, are fixed, or reappear.
  
• -Put critical issues into context with our expert advisory services.
• -Monitor certificates deployed throughout your network.
• -Spot trends, see what’s changed.
• -Predict which hosts are at risk for Zero-Day Attacks.
• -See which hosts need updates after Patch Tuesday.

We monitor the life-cycle of vulnerabilities and validate the remediation process.

• -Monitor vulnerabilities over time, assign tickets, and manage exceptions.
• We keep track of everything so your team can stay focused on revenue generating activities.
• -Provide lists of patches by priority for each host and manage exceptions.
• -Keep track of vulnerabilities and actions taken.
• -Create per-host patch lists.-

We provide comprehensive
reports that document progress for IT, business executives, customers and auditors.

• -Service provides context & insight, not just a data dump.
• -Continuous monitoring  and insight into ongoing progress with your organizaion’s vulnerability management goals.

Phishing Simulations to help employees practice what they learn during employee security  awareness.

• -Performing ongoing phishing simulations helps to keep employees practiced & reinforces good security habits.  

Pretexting is the practice of presenting oneself as someone else in order to obtain private information.  Pretexting impersonation exercises are used to gather key information. 

• -Pretexting attacks are commonly used to gain access to both sensitive and non-sensitive information.

Tailgating, also known as piggybacking, is when a someone bypasses the physical security controls of a building based on someone else’s authentication.

• -We attempt to bypass physical security at client sites in order to roam unescorted, looking for open offices and/or unsecured workstations.
• -The real-world costs of tailgating include theft of IT equipment, theft of sensitive data, loss of intellectual property and physical attacks to network equipment.

Baiting helps to identify those at risk of enticement.  

• -Engagement examples include leaving USB flash drives and other forms of mobile storage media in an open area in order to identify those employees that attempt to use the found storage device to aid in educating employees in the risk posed.