Security and Penetration Testing

How safe is your technology?

Security and Penetration testing, provides you with the comfort at night that your vulnerabilities have been assessed and the risk of a breach is managed as part of your overall security controls.

A robust security and penetration testing process ensures a repeatable and thorough method for verifying and validating the effectiveness of security controls. The security testing process that is followed needs to provide a method that applies rigour and accountability to vulnerability assessments and penetration tests.

The goal of security testing is to measure the effectiveness of security controls, using this information to contribute to the remediation of shortcomings to fulfil the security requirements.

Security testing is not a standalone process and serves as an input to several other software and security processes, including:

  • Asset vulnerability identification within the IT Security Risk Management process;
  • Security control effectiveness review within the IT Security Certification and Accreditation process; and
  • Companion testing to component, system and integration testing within the System/ Software Development Life Cycle (SDLC).
What we do

Before we perform any security or penetration testing, we would ask for the Security Audit.  A security audit is a systematic evaluation of your enterprise IT infrastructure defences.

Audits

If a security audit has not been performed, we would perform the audit on your behalf.  over the course of this assessment, our security experts will measure how well your security protocols comply with a list of established criteria to validate your security and risk posture.

Typically, a Security audit should be conducted on a regular basis to secure your data and digital assets. If you’re in a highly regulated industry, engaging in this activity will also help your business ensure compliance (like HIPPA, GDPR, PCI-DSS, SOX, etc.).

Before you conduct a security audit, the security team will have to decide on the scope of the analysis.  A typical security audit will assess the following:

  • Bring-your-own-device initiatives
  • Data- and access-related items (like cards, passwords, and tokens)
  • Email and Mail Exchange
  • Hardware configurations
  • Information-handling processes
  • Network
  • Physical configuration of the system and environment
  • User practices
  • Smart devices
  • Software configurations

The audit evaluates each of the above against past and potential future risks. This means that your security team should be up to date on the latest security trends and the measures taken by other organisations to respond to them.

At the end of the security audit, an in-depth report will be prepared covering the strengths and weaknesses of your current security arrangements. Whenever a vulnerability is identified, the cost of securing it should be evaluated against the cost of a breach.

Whenever your security protocols fall short (when compared to the latest hacking trends), it’s imperative to act fast, as a single vulnerability could lead to a significant data breach.

Testing

As part of our testing services, we perform the following tests to gauge the level of vulnerabilities that may exist.  With a well-established penetration testing methodology based on industry best practices and our own specialist techniques, we ensure that you will receive reliable and repeatable results that minimise the risk.

We start by profiling the most likely threats to your business. We examine your business processes, information flows and the technology that supports your operations.  Once we have a better understanding of how your organisation works, we perform a suite of penetration test scenarios that are similar to those used by malicious attackers.

Penetration Testing is ethical hacking – with the aim of penetrating your system – checking how well you have protected your organisation against malicious attacks.  We replicate the same methods that are typically employed by those who are looking to expose the vulnerability of an organisation for the purpose of doing harm.  We attempt to breach the system to identify whether we can compromise the network and systems. 

Dependency Scanning scans dependencies used by the code against known common vulnerabilities and exposures (CVEs).  This is useful because, dependencies are commonly used within projects and access to the source code may not be possible.  If a dependency is flagged as a potential security issue, this can be verified manually and either suppressed or remediated as required.

Static Application Security Testing (SAST) will check the source code for security vulnerabilities according to a set of predefined rules.  This scanning can take place via an IDE plug-in while coding and during build time as part of the CI/CD process.  This allows for checkpoints to be added preventing the build from progressing once security issues have been found. SonarQube allows for testing of Salesforce/Apex code.

Dynamic Application Security Testing (DAST) will run active security checks against a live system.  Ideally these systems should be connected end to end and a performance load running in the background.  This will allow us to determine both the security impact of the test attacks should they be successful, as well the performance impact on users while they are using the system should the attacks be unsuccessful. Implementing the above automated tests types into the CI/CD pipeline will give your project quick feedback on the progress of the software in development including its functionality, performance and security posture.  This will allow for project stakeholders to make timely decisions around feature planning, production deployment and remediation when deficiencies are found earlier in the project, rather than the end of the project.

How we can help you

Accuteque recognises that the experience and skills of our team are what will drive quality and value from this engagement to you, the client. Accuteque has an exceptionally talented team with extensive, relevant experience to provide to our clients.

Our team has the following qualifications to support the need for security and penetration audits and testing:

  • Certified Information Systems Security Professional (CISSP),
  • Certified in Risk and Information System Control (CRISC),
  • Certified Information Security Manager (CISM),
  • Certified Information System Auditor (CISA) and Certified ISO27001 Lead Implementer
  • Australia Information Security Association (AISA) and participation in a retail security forum
  • Offensive Security Certified Professional (OSCP)

We offer three core services:

  1. Audits
  2. Vulnerability Assessments
  3. Security & Penetration Testing

A typical Security engagement can be between 10-30 days depending upon the complexity and maturity of the technology environment.

secure world network

Gender Equity Awards

Recalibrate Gender Equity Awards 2022 Accuteque was a finalist at the Business in Heels Recalibrate Gender Equity Awards 2022Recalibrate Gender Equity Awards  On Wednesday 16th November members of the Accuteque team attended the Business in Heels Recalibrate Gender...

Digital nomad and hybrid working

Hybrid Working and Digital Nomadicy Peter Cordwell reflects on his first overseas hybrid working holidayWith South East Asia and the Pacific just a few short hours away, and the rise of hybrid working as a result of the COVID Pandemic, digital nomadcey is more...

Business Users Testing Training

Accuteque Academy – Business Users Testing 101 TrainingAccuteque Academy held its first onsite Testing Training at Charles Darwin Univeristy.We recently had the opportunity to travel to Darwin to Charles Darwin University where we held our Business Users Testing 101...

20 years of Accuteque

Celebrating 20 years at Accuteque Our CEO and Founder, Caroline Patton reflects on the journey of the last 20 years and celebrating this amazing milestoneThe start of Accuteque When I first started in business the plan was to ‘make a difference’ leaving everyone that...

Balancing Fatherhood

Balancing Fatherhood We asked a few of our team what it has been like becoming a new father during the COVID pandemic and how has it changed approaches to work.Peter and Alex are two young fathers from the Patton Group of Companies. Peter is a Business Analyst in...

What leads to the Best Job?

Does Autonomy, Mastery and Purpose lead to the best job?      Discussing what makes a job one of the best you have ever hadMichelle Prosser-Roberts explores what has led her to consider what the best job she's ever had has been and why.My son recently asked me about...

Working mums through the pandemic

Working Mums through the pandemic What has it been like being a working mum during the COVID pandemic?The steadfast approach of Mother's Day at Accuteque has made the team reflect on what role parenthood and work play together, and in particular how to get the balance...

A New Social Contracts Perspective

A New Perspective on   Social ContractsHow I discovered social contracts Michelle’s recent discussion about Accuteque’s social contracts formation and writing process has made me reflect on my own introduction to our social contract. Having never heard of the...

Social Contracts

Social ContractsDo you have a social contract with your team or your workmates? If not, have you thought about creating one?  Or are you on the fence?  I am a big believer in Social Contracts and was thrilled to facilitate a new social contract for Accuteque recently....

Designing a Fit For Purpose Solution

Designing a fit for purpose solution Cloud Hosting and Business Continuity  Recent outages on Amazon Web Services (AWS), have shown that hosting an application in the cloud does not guarantee any level of business continuity. Before we launch into complex (aka...