MANAGED SECURITY TESTING

Transcription

1 MANAGED SECURITY TESTING SERVICE LEVEL COMPARISON External Network Testing (EVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Unauthenticated Web App Scanning Validation Of Scan Results Manual ing: Most Exploitable Findings Manual ing: Any Exploitable Vulnerabilities Vertical Escalation Horizontal Escalation Attack Chains Escalation To Adjacent Systems Limited Phishing Client Side Attacks Social Engineering Custom Protocol Attacks Escalation To Internal Network Findings Report Video Evidence Post-Test Debrief

2 Internal Network Testing (IVS) Scanning Basic Threats Penetration Testing Network Vulnerability Scan Validation Of Scan Results Manual ing: Most Exploitable Findings Unauthenticated Web App Scanning Layer 2 Testing (Broadcast, ARP) Vertical Escalation Segmentation Testing Manual ing: Any Exploitable Vulnerabilities (Targets) Horizontal Escalation (Targets) Attack Chains Data Exfiltration Testing Enterprise Escalation Testing From Client Subnets Horizontal Escalation (Enterprise) Manual ing: Any Exploitable Vulnerabilities (Enterprise) Client Side / Browser Attacks Advanced Protocol Attacks Password Analysis Findings Report Video Evidence Post-Test Debrief

3 Application Testing (IVS) Scanning* Penetration Testing Basic Threats Application Vulnerability Scan Validation Of Scan Results Tools-based testing of all vulnerability classes listed below NA Manual Injection Testing Manual Session Management Testing Manual Account Policy Review Manual Information Disclosure Testing Manual Data Protection Testing Manual Authentication Testing Manual Authorization Testing Manual Testing For Simple Logic Flaws Manual Testing For Complex Logic Flaws Manual Testing For Cryptographic Weaknesses Manual Bounds Checking Testing Manual Application Resource Handling Checking Exhaustive Testing Manual Testing Of All Input Areas Findings Report Video Evidence Post-Test Debrief * The following page details what s included in the compliance and best practices levels of self-serve and managed scanning. As a part of any level of application penetration testing, Trustwave SpiderLabs experts will test your application for every vulnerability our tool can identify. From there, experts will then perform manual testing as noted in the chart.

4 Application Scanning Compliance Best Practices Self-Serve Managed Self-Serve Managed Database Injection Flaws Database Errors Windows/Unix Command Injection Windows/Unix Relative Path Integer Overflow Non-SSL Password SSL Checks Password Autocomplete Credit Card Disclosure Basic Authentication over HTTP Private IP Disclosure Application Exception Cross-Site Scripting (SS) DOM-based SS Directory Browsing Open Redirect Remote File Inclusion Cross-Site Request Forgery (CSRF) Insecure CORS Headers Cookie Vulnerabilities Session ID in URL Cross-Frame Scripting Manual Verification of Scan Completeness Manual Validation of Scan Results

5 Database Scanning Description Managed Compliance Scanning Trustwave managed database compliance scanning service includes four database vulnerability scans validated by Trustwave SpiderLabs experts. A compliance scan provides basic hygiene checks to measure compliance against a variety of compliance regimes. Managed Best Practices Scanning Trustwave managed database best practices scanning service includes four database vulnerability scans validated by Trustwave SpiderLabs experts. A best practices scan goes beyond the compliance scan to perform all checks against the database that result in actionable findings that if remediated will show measurable improvement in the security of database. For more information: Copyright 2015 Trustwave Holdings, Inc.