Security and Penetration Testing
How safe is your technology?
A robust security and penetration testing process ensures a repeatable and thorough method for verifying and validating the effectiveness of security controls. The security testing process that is followed needs to provide a method that applies rigour and accountability to vulnerability assessments and penetration tests.
The goal of security testing is to measure the effectiveness of security controls, using this information to contribute to the remediation of shortcomings to fulfil the security requirements.
Security testing is not a standalone process and serves as an input to several other software and security processes, including:
- Asset vulnerability identification within the IT Security Risk Management process;
- Security control effectiveness review within the IT Security Certification and Accreditation process; and
- Companion testing to component, system and integration testing within the System/ Software Development Life Cycle (SDLC).
What we do
Before we perform any security or penetration testing, we would ask for the Security Audit. A security audit is a systematic evaluation of your enterprise IT infrastructure defences.
Audits
If a security audit has not been performed, we would perform the audit on your behalf. over the course of this assessment, our security experts will measure how well your security protocols comply with a list of established criteria to validate your security and risk posture.
Typically, a Security audit should be conducted on a regular basis to secure your data and digital assets. If you’re in a highly regulated industry, engaging in this activity will also help your business ensure compliance (like HIPPA, GDPR, PCI-DSS, SOX, etc.).
Before you conduct a security audit, the security team will have to decide on the scope of the analysis. A typical security audit will assess the following:
- Bring-your-own-device initiatives
- Data- and access-related items (like cards, passwords, and tokens)
- Email and Mail Exchange
- Hardware configurations
- Information-handling processes
- Network
- Physical configuration of the system and environment
- User practices
- Smart devices
- Software configurations
The audit evaluates each of the above against past and potential future risks. This means that your security team should be up to date on the latest security trends and the measures taken by other organisations to respond to them.
At the end of the security audit, an in-depth report will be prepared covering the strengths and weaknesses of your current security arrangements. Whenever a vulnerability is identified, the cost of securing it should be evaluated against the cost of a breach.
Whenever your security protocols fall short (when compared to the latest hacking trends), it’s imperative to act fast, as a single vulnerability could lead to a significant data breach.
Testing
As part of our testing services, we perform the following tests to gauge the level of vulnerabilities that may exist. With a well-established penetration testing methodology based on industry best practices and our own specialist techniques, we ensure that you will receive reliable and repeatable results that minimise the risk.
We start by profiling the most likely threats to your business. We examine your business processes, information flows and the technology that supports your operations. Once we have a better understanding of how your organisation works, we perform a suite of penetration test scenarios that are similar to those used by malicious attackers.
Penetration Testing is ethical hacking – with the aim of penetrating your system – checking how well you have protected your organisation against malicious attacks. We replicate the same methods that are typically employed by those who are looking to expose the vulnerability of an organisation for the purpose of doing harm. We attempt to breach the system to identify whether we can compromise the network and systems.
Dependency Scanning scans dependencies used by the code against known common vulnerabilities and exposures (CVEs). This is useful because, dependencies are commonly used within projects and access to the source code may not be possible. If a dependency is flagged as a potential security issue, this can be verified manually and either suppressed or remediated as required.
Static Application Security Testing (SAST) will check the source code for security vulnerabilities according to a set of predefined rules. This scanning can take place via an IDE plug-in while coding and during build time as part of the CI/CD process. This allows for checkpoints to be added preventing the build from progressing once security issues have been found. SonarQube allows for testing of Salesforce/Apex code.
Dynamic Application Security Testing (DAST) will run active security checks against a live system. Ideally these systems should be connected end to end and a performance load running in the background. This will allow us to determine both the security impact of the test attacks should they be successful, as well the performance impact on users while they are using the system should the attacks be unsuccessful. Implementing the above automated tests types into the CI/CD pipeline will give your project quick feedback on the progress of the software in development including its functionality, performance and security posture. This will allow for project stakeholders to make timely decisions around feature planning, production deployment and remediation when deficiencies are found earlier in the project, rather than the end of the project.
How we can help you
Accuteque recognises that the experience and skills of our team are what will drive quality and value from this engagement to you, the client. Accuteque has an exceptionally talented team with extensive, relevant experience to provide to our clients.
Our team has the following qualifications to support the need for security and penetration audits and testing:
- Certified Information Systems Security Professional (CISSP),
- Certified in Risk and Information System Control (CRISC),
- Certified Information Security Manager (CISM),
- Certified Information System Auditor (CISA) and Certified ISO27001 Lead Implementer
- Australia Information Security Association (AISA) and participation in a retail security forum
- Offensive Security Certified Professional (OSCP)
We offer three core services:
- Audits
- Vulnerability Assessments
- Security & Penetration Testing
A typical Security engagement can be between 10-30 days depending upon the complexity and maturity of the technology environment.
