Penetration Testing

- Security testing services based on industry standard methodology such as OWASP/SANS and OSSTMM

At CANDA we can provide a range of security testing options to suit the engagement providing 'best bang for bucks' to identify your most critical issues in a cost effective manner. We can also provide a more standard approach to ensure that all issues are identified and that you are fully informed of the security profile presented by the systems(s) under review.

Penetration Testing

- Security testing services based on industry standard methodology such as OWASP/SANS and OSSTMM.

At CANDA we can provide a range of security testing options to suit the engagement providing 'best bang for bucks' to identify your most critical issues in a cost effective manner. We can also provide a more standard approach to ensure that all issues are identified and that you are fully informed of the security profile presented by the systems(s) under review.

CANDA Methodology

Under the standard approach we would firstly use automated scanning to identify potential weaknesses and where the system may be vulnerable to attack.

We then move into more manual testing which includes extensive Penetration Testing based on the OWASP and OSSTMM standard and covers all 5 steps of ethical hacking.

Application Study & Threat Modelling
  • Understanding application business and technical overview
  • Understanding systems functionality/component segregation
  • Gathering publicly available information from various Internet sources which may have the potential for
    exploitation
  • Threat profiling and attempt to discover logic holes in the surface of the application
  • Information gathered above would be analyzed to identify threats and associated vulnerabilities within system components and its interfaces
Hosting Server Testing & Automated Scanning
  • Controlled execution of automated tools to identify vulnerabilities that are presented to an application user
    in the form of an “anonymous user” (Black box testing).
  • Use manual techniques to confirm the vulnerabilities found by automated scanning. The results of this phase
    are used in the later section titled “Penetration Testing & Exploitation”
  • Hosting server & network security scanning manual testing
Penetration Testing & Exploitation
  • Application assessment based on OWASP, OSSTMM, WASC standards
  • Manual assessment of each page, each functionality, every request that goes out of the browser to the
    server
  • Exploitation of inherent weakness in the design and implementation of security controls
  • Sample test cases include Privilege escalation, business logic exploitation, bypassing input validation,
    injection techniques, XSS testing, Parameter manipulation, authentication and authorization bypass, etc.
Reporting & Closure
  • Documentation of vulnerabilities, proof-of-concept for vulnerabilities and exploitations, risk rating, impact
    and recommendations for closing the vulnerabilities
  • Follow reporting standards of OWASP
  • Comparison of vulnerabilities and penetration testing findings with previous activities if any
Sample Test Cases
  • Authentication Checks
  • 2FA Bypass
  • Authorization Checks
  • Session Management
  • SQL Injection
  • Cross-Site Scripting
  • Error Handling
  • Privilege Escalation
  • Parameter Manipulation
  • Default installation and Backdoor checks

Learn about the importance of security testing and our associated services below.

What is Penetration (Security/Pen) Testing and why is it important?

 

Penetration Testing  is a key part of maintaining and developing your security profile of the systems you employ.

A penetration test, or pen test, is a simulated attack against your web application or supporting infrastructure. Previously, penetration testing was mostly performed on networks, rather than the applications and systems running on those networks.

The purpose of a pen test is to identify vulnerabilities which are exploitable from an outside (or internal) attacker. Penetration testing can be performed against the various types of code and systems used in your application, such as APIs and servers.

Knowing where, how and to what degree your systems are vulnerable, is key to being able to remediate in a timely fashion, thus maintaining the security of your systems.

Secure code development with CANDA experts

The benefit of engaging CANDA for your penetration testing needs is in our wealth of experience and knowledge in the best methods of testing.  This delivers to you the key decision making data and expert advice, with which to address the concerns and issues raised.

Contact CANDA today to discuss our Application Security services

 

Our experienced team at CANDA are experts in everything ICT-Security & Risk related, and can provide a range of services to ensure your agency meets NZISM requirements, including secure application development and code testing throughout your organisation’s SDLC.

As New Zealand’s trusted and impartial experts on leading security for application re-development or uplift programmes, we can help in resolving your application security and risk concerns.

Contact CANDA today to speak to one of our team and learn more about how we can help.

CONTACT CANDA