Security and Penetration Testing

How safe is your technology?

Security and Penetration testing, provides you with the comfort at night that your vulnerabilities have been assessed and the risk of a breach is managed as part of your overall security controls.

A robust security and penetration testing process ensures a repeatable and thorough method for verifying and validating the effectiveness of security controls. The security testing process that is followed needs to provide a method that applies rigour and accountability to vulnerability assessments and penetration tests.

The goal of security testing is to measure the effectiveness of security controls, using this information to contribute to the remediation of shortcomings to fulfil the security requirements.

Security testing is not a standalone process and serves as an input to several other software and security processes, including:

  • Asset vulnerability identification within the IT Security Risk Management process;
  • Security control effectiveness review within the IT Security Certification and Accreditation process; and
  • Companion testing to component, system and integration testing within the System/ Software Development Life Cycle (SDLC).
What we do

Before we perform any security or penetration testing, we would ask for the Security Audit.  A security audit is a systematic evaluation of your enterprise IT infrastructure defences.

Audits

If a security audit has not been performed, we would perform the audit on your behalf.  over the course of this assessment, our security experts will measure how well your security protocols comply with a list of established criteria to validate your security and risk posture.

Typically, a Security audit should be conducted on a regular basis to secure your data and digital assets. If you’re in a highly regulated industry, engaging in this activity will also help your business ensure compliance (like HIPPA, GDPR, PCI-DSS, SOX, etc.).

Before you conduct a security audit, the security team will have to decide on the scope of the analysis.  A typical security audit will assess the following:

  • Bring-your-own-device initiatives
  • Data- and access-related items (like cards, passwords, and tokens)
  • Email and Mail Exchange
  • Hardware configurations
  • Information-handling processes
  • Network
  • Physical configuration of the system and environment
  • User practices
  • Smart devices
  • Software configurations

The audit evaluates each of the above against past and potential future risks. This means that your security team should be up to date on the latest security trends and the measures taken by other organisations to respond to them.

At the end of the security audit, an in-depth report will be prepared covering the strengths and weaknesses of your current security arrangements. Whenever a vulnerability is identified, the cost of securing it should be evaluated against the cost of a breach.

Whenever your security protocols fall short (when compared to the latest hacking trends), it’s imperative to act fast, as a single vulnerability could lead to a significant data breach.

Testing

As part of our testing services, we perform the following tests to gauge the level of vulnerabilities that may exist.  With a well-established penetration testing methodology based on industry best practices and our own specialist techniques, we ensure that you will receive reliable and repeatable results that minimise the risk.

We start by profiling the most likely threats to your business. We examine your business processes, information flows and the technology that supports your operations.  Once we have a better understanding of how your organisation works, we perform a suite of penetration test scenarios that are similar to those used by malicious attackers.

Penetration Testing is ethical hacking – with the aim of penetrating your system – checking how well you have protected your organisation against malicious attacks.  We replicate the same methods that are typically employed by those who are looking to expose the vulnerability of an organisation for the purpose of doing harm.  We attempt to breach the system to identify whether we can compromise the network and systems. 

Dependency Scanning scans dependencies used by the code against known common vulnerabilities and exposures (CVEs).  This is useful because, dependencies are commonly used within projects and access to the source code may not be possible.  If a dependency is flagged as a potential security issue, this can be verified manually and either suppressed or remediated as required.

Static Application Security Testing (SAST) will check the source code for security vulnerabilities according to a set of predefined rules.  This scanning can take place via an IDE plug-in while coding and during build time as part of the CI/CD process.  This allows for checkpoints to be added preventing the build from progressing once security issues have been found. SonarQube allows for testing of Salesforce/Apex code.

Dynamic Application Security Testing (DAST) will run active security checks against a live system.  Ideally these systems should be connected end to end and a performance load running in the background.  This will allow us to determine both the security impact of the test attacks should they be successful, as well the performance impact on users while they are using the system should the attacks be unsuccessful. Implementing the above automated tests types into the CI/CD pipeline will give your project quick feedback on the progress of the software in development including its functionality, performance and security posture.  This will allow for project stakeholders to make timely decisions around feature planning, production deployment and remediation when deficiencies are found earlier in the project, rather than the end of the project.

How we can help you

Accuteque recognises that the experience and skills of our team are what will drive quality and value from this engagement to you, the client. Accuteque has an exceptionally talented team with extensive, relevant experience to provide to our clients.

Our team has the following qualifications to support the need for security and penetration audits and testing:

  • Certified Information Systems Security Professional (CISSP),
  • Certified in Risk and Information System Control (CRISC),
  • Certified Information Security Manager (CISM),
  • Certified Information System Auditor (CISA) and Certified ISO27001 Lead Implementer
  • Australia Information Security Association (AISA) and participation in a retail security forum
  • Offensive Security Certified Professional (OSCP)

We offer three core services:

  1. Audits
  2. Vulnerability Assessments
  3. Security & Penetration Testing

A typical Security engagement can be between 10-30 days depending upon the complexity and maturity of the technology environment.

secure world network

Cybersecurity Partnership

Cybersecurity Partnership with SecurEyes Technical expertise with industry insight Cybersecurity Partnership with SecurEyes Technical expertise with industry insightCybersecurity partnershipBuilding a secure futureAccuteque is proud to announce a strategic...

Learning: Many heads are better than one

Many heads learn better than one Learning better togetherLast week, I had two very powerful experiences in the theme of learning. The first one was at work. At Accuteque, we are encouraging our team to engage in the space of Cyber Security, and many in the team have...

The Power of Metaphors

The Power of Metaphors Navigating Life through Diverse ImageryThe metaphors that govern our understanding of the world are not merely linguistic ornaments or poetic embellishments; they are fundamental tools for the human mind to understand and conceptualize complex...

Innovate for Equity

Innovate for Equity Bringing diversity into cybersecurity to protect everyone.In the month of February, I was part of a few events that were cybersecurity related. The first was a panel about "Women in Security", hosted at Splunk. Another was my own talk at "Test...

Equality

International Women's Day Hear about our team's experiences and passions to engage in a world of equality through championing equity. As a female founded and female led IT consultancy in a mainly male dominated industry Accuteque celebrate the achievements of women...

The home office – a new way of working

The Home Office - a new way of working Hear about what our team has done to thrive while working from homeA New Beginning Once upon a time, starting a new job and working from home did not go hand in hand. Now it is the norm, the new way of life after the last 2 years...

The office environment – a new way of working

The Office - a new way of working Hear about what our team has done to enjoy hybrid workingBeing in the office againThis is part 2 of our new ways of working blog, what happens when we return back into the office after a long time away? Some of our team have returned...

Working IN and ON the Business

Working IN and ON the Business What does a day in the life of a consultant look like?As a Quality Assurance Practice Lead my role requires me to work ON and IN the business. What’s the difference and why is it important to drive both? Working ON the Business  When we...

Multitasking by wearing many hats

The woman of many hats Multitaskers, many roles and switching in betweenWearing many hats at home and at work can mean a variety of things - being skilled in many different areas, having input in decisions, getting exposed to new ideas and ways of thinking, being...

Accuteque Principles Reflections

Reflecting on Accuteque's Principles We reflect on the importance of our Accuteque values and where they can be found in the everyday with the help of our Tangram.About Accuteque principles Accuteque principles are derived from focusing on both results and the...