The objective of this service is to identify and subsequently analyze vulnerabilities in the Company's web applications. These vulnerabilities can be associated to security mistakes in the design, to the development or application's deployment, thus generating a wider range of possible gaps available to be identified and exploited by potential attackers. Our methodology is aligned with the process described by OWASP, which begins with manual testing to identify vulnerabilities. In addition, our methodology involves implementation of automatic tools and the corresponding confirmation for potential vulnerabilities.
Our service of web applications analysis can be provided under three different approaches:
- Black box’s analysis: application web is analyzed with no further information, simulating an attack executed by an experienced individual from the internet, who had no previous access to information.
- Grey box’s analysis: application web is analyzed with access to accrediting information, simulating to be a real user of the application.
- White box’s analysis: the application source code is analyzed in search of potential security mistakes.
The service analysis of external infrastructure vulnerabilities involves the implementation of a set of tests that aim to identify vulnerabilities and consider any associated risk related to the services of Company assets that are exposed on the Internet.
The tests performed throughout the project are divided into the following phases:
- Firstly, identifying unprotected services on the Internet.
- Performing test on the registered services in order to identify vulnerabilities which could eventually be used by an attacker from the Internet.
- The following step is exploitation, which involves the execution of carefully controlled tests in order to cash in on the vulnerabilities like an attacker would do.
- FLater, a report will be written to let the Company know about the risks associated with the vulnerabilities identified in its assets, from a technical and commercial point of view. In addition, strategic and tactical recommendations shall be provided according to each of the identified vulnerabilities in order to enable our clients to take short and medium-term decisions to eliminate the risks.
- After 30 or 45 days of the final report being sent, a re-test shall be performed on said vulnerabilities to verify the effectiveness of the controls implemented by the Company.
The methodology used to develop these different stages include both automated and manual test execution tools. In both cases, the results are tested manually and in the case of automated tools, potential false positives that might be detected are removed.
We offer the use of automated scanning, manual testing and design to find vulnerabilities and mend them in a short period of time. Reducing cost and exposure to attacks.
Secure coding practices for mobile applications to prevent advanced threats.
Hardening backend servers, not exposing sensitive information through misconfigurations, performing patch management process, limiting unauthorized access, platform vulnerabilities and other vectors of attack.
Top 10 Mobile Risks (OWASP)
- Weak Server Side Controls
- Insecure Data Storage
- Insufficient Transport Layer Protection
- Unintended Data Leakage
- Poor Authorization and Authentication
- Broken Cryptography
- Client Side Injection
- Security Decisions Via Untrusted Inputs
- Improper Session Handling
- Lack of Binary Protections
The main target of this service is to obtain sensitive information, whether private or confidential, from the company, through the use of social engineering techniques, which allow to get benefits from human relationships.
The aim of these tests is to identify the level of information that users have, (“the weakest link”), potential threats to which they are exposed, as well as to determine the knowledge level that they have about classification of the handled information.
A typical attack stage involves the creation of a website especially designed for the company. This site could provide exclusive offers for employees, requesting them to access with their corresponding corporate accrediting documents.
Another typical attack stage consists of sending e-mails, where the updating of access information to the company’s intranet is required, through a specially designed gate.
Lastly, the aim to elaborate a report that allows the company to meet the security awareness that their employees have.
Furthermore, tactical and strategic recommendations shall be provided in order to let them take short and middle term actions to eliminate risks.
The creation of an in-house developed security awareness program with relevant information and material of the corresponding audience involving others departments, with multiple communication channels, to reach the organization goal in different ways.
Using creativity and enthusiasm in order to elaborate and establish successful programs with metrics to prove the staff performance. Understanding Cybersecurity matters and being prepared for Cyber Attacks.
This service allows us to identify vulnerabilities associated with device configurations and services used by the company with the purpose of finding weaknesses, which could be exploited by an aggressor, as a consequence of the improper configuration.
ArtsSEC delivers a complete document with findings based on the best practice controls for security.
Should you need any further information, please contact us.