Penetration Testing

CREST Accredited, Application Security Testing Experts

Introduction

At 4ARMED we will hack pretty much anything but our core focus is on application security testing. It's probably something to do with our closet developerness. If you've got any kind of web or mobile application - perhaps a SaaS platform? - that needs security testing, look no further.

What is an Application Penetration Test?

An exploitative test of your application’s security defences. Sometimes referred to as “ethical hacking”, the goal of penetration testing is to assess the resilience of your web application to technical attacks and provide tailored recommendations on areas that could be improved. By using the same techniques as criminal hackers our consultants look for ways to gain unauthorised access to data stored in your systems, applications or mobile devices.

We align our application security testing methodology to the OWASP Application Security Verification Standard. There's two main reasons for this: 1) it's good and 2) it gives additional, independent clarity over what will be delivered. This is especially useful if you're having a penetration test done to satisfy a third-party.

Security Testing Levels

Level 1 - Opportunistic The target is reviewed for easy to discover, easy to exploit weaknesses, such as those found in the OWASP Top Ten, that would be targeted by opportunistic attackers that lack the resources, skills, motivation or time to pursue more difficult vulnerabilities.
Level 2 - Standard The target is reviewed to see if it will withstand most security risks associated with today's software. This level of testing is typically required for most enterprise systems, compliance standards and other platforms that handle sensitive information such as personal or financial data.
Level 3 - Advanced This level is typically reserved for those systems that require the highest level of assurance, where a compromise could result in critical impact. At this level the types of threat are expected to be determined and potentially well-funded. Security testing alone is not sufficient to provide verification and we would look to review the system's architecture, code, management processes and other supporting factors in order to provide deep insight into the system's risk.

If what you need is something more targeted or bespoke, this is no problem. For example, you may have recently rolled out a new login function and would like assurance over just this element. All our engagements are built around your requirements so let us know what you need.

Benefits

Assurance

Security Testing helps you gain assurance over your risk. Everything should be coded and configured correctly and securely but testing provides assurance that no mistakes have been made.

Compliance

Penetration Testing is required by a number of compliance standards such as PCI DSS. Our security testing services can help you achieve or maintain compliance.

Cost Effective

Sensible rates, a pragmatic approach and recommendations that make a difference all add up to a cost effective overall solution. Take advantage of a Managed Security Testing contract and see even better return on your investment.

Continual Improvements

Each report contains a root cause analysis and, if you take a Managed Security Testing contract we can help you implement a continuous improvement cycle focused on your specific problem areas.

What To Expect

Scoping

A typical engagement process flow can be seen here. The most important part when considering a penetration test is getting the scope right.

In some cases this is relatively simple as it may be you require a test of a single system or application whose boundaries are clearly defined. In other cases the scope will be more complex. A good example of this is when conducting a penetration test to meet PCI DSS requirement 11.3 which will need us to verify the scope for testing actually covers all in-scope systems.

For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed.

A longer description of the stages of a typical penetration testing engagement can be found in the resources section below.

Delivery

Communication is key to the delivery of a good security testing engagement. You will be assigned a project lead who will handle all of the logistics of testing with you and give you one point of contact should you need to discuss anything. We will keep you updated throughout testing as required and a free-of-charge wash-up call between our consultants and relevant parties from your organisation can be scheduled once you have reviewed the detailed report provided. This gives you the opportunity to discuss the findings and recommendations in more detail and evaluate further your best course of action.

Application Security Testing with Source Code

Earlier we highlighted the different testing levels we typically work to – Opportunistic, Standard and Advanced – but, when it comes to application security testing there is always the option to provide us with access to the source code during the test.

Often referred to as white box testing this enables our consultants to achieve far wider and deeper coverage of an application in the same amount of time. This is because suspected issues can be verified more quickly and searched for in other parts of the code. The majority of tests we conduct these days are performed in this manner.

Source code is stored in accordance with our ISO27001 information security requirements and is securely deleted once the engagement has completed.

Resources

A high level overview of a typical penetration testing engagement.


Next Steps

Want to discuss your requirements further? Wondering whether a Penetration Test is right for your business? There's an easy way to find out, give us a call or complete the contact form below to tell us where you're at and we will work with you to find the best solution for you.