Product Penetration Testing
Technical testing and source code review of your product’s web, mobile, cloud, or node infrastructure to identify security vulnerabilities and assess the susceptibility to likely threats.
1
Initiation & Objectives
Work with your team to define the appropriate scope and objectives of the testing. Walkthrough your technology stack and review architecture diagrams and threat models to understand the target scope.
2
Dependencies & Planning
Quantify project dependencies and setup any necessary tooling, test accounts or environments. Our goal with this step of our methodology is to emulate as close as possible to production with varying states.
3
Manual Review & Testing
Familiarize ourselves with the target and manually review code for security vulnerabilities, business logic flaws, and specification adherence. We take a phased approach with this review starting from a complete black box perspective and ending with full source code review in order to get the most coverage.
4
Dynamic Testing
Dynamically test the in scope environments using automated tools in the production-like environment we setup earlier. We use both static analysers and dynamic testing tools during this phase depending on the scope and technologies in use. All output from our tools are manually verified to review false positives.
5
Assess & Report
Evaluate the findings to identify potential exploit chains and develop proof of concepts highlighting business impact of identified vulnerabilities. Develop an assessment report covering the methodologies used, findings, and recommendations for remediation. We also include retesting of identified findings from the engagement.