Is your Web Application. "Hacking Proof"?

Transcription

1 w Hackers Locked Security Testing Services v Is your Web Application Hackers Locked Security Testing Services "Hacking Proof"? Hackers Locked Penettrattiion Testtiing Serviices

2 HL PENETRATION TESTING SERVICES 70 % of threats are at the Web application layer Gartner - Web applications are a critical success factor for your business. Your office premises protects your business from intruders and keep your assets safe. Your web application should not be an exception! Many security testing companies focus their assessments around blindly trusting output of tools to create a risk snapshot And yes, it is a compelling thought to just be able to click start and then end up with a full report, but a real Hacker goes way beyond. We do the same. WEB APPLICATION PENETRATION TESTING We are all under attack Even if you do not think that is the case, or you may not notice attacks in your day to day business the attacks are still ongoing on your web application. Your company website is the modern day gateway for your client to reach you. Did you ever ask the question Is your website secure? Over the last few years, the demand for security testing services has grown dramatically as businesses have recognized the need to provide assurance that they are protected from external and internal threats. We provide testing services that can be applied before and after implementation and as part of a regular testing strategy. In essence these services emulate real-life threat agents, for example disgruntled employees, external hackers of various skill levels, or even industrial espionage operations. Tests can target the business web applications, Quite often, clients request that our testing team goes after a predefined target, such as a sales database, without restrictions in techniques - exactly as a real attacker would operate. Careful planning and strict control make these special tests safe: no disruptions to your operations and obviously no harm to your employees occur. We have developed testing techniques where vulnerabilities in your environment can be located, tested and remediation advice given. Scenarios of successful attacks are described in detail. All of our advice is given a business context to enable both technical and managerial audiences to appreciate the findings. OUR VALUE: When we work on Pentest we use tools Absolutely then the obvious question is how you are different from others? The difference is the subject matter expertise of our expert Penetrators. Once the tool has given its output we dig deeper, understand the reported vulnerabilities, verify exploits and lookout for unknown issues in the application s business logic. We create specific manual test cases that enable us to reproduce scenarios that would reflect impact of a real time Hack Attack.

3 OUR PROCESS: Security is a complex business, not for our clients. They truly believe we simplify Security and they can focus on their core business while we keep it secure. A snapshot of your security testing experience with Hackers Locked : You Order: In this stage you provide your mandate for testing your web application. This includes signing a non disclosure agreement and agreeing deliverables. Output of this stage will be the agreed scope, letter of authority and a detailed approach. We Test In this stage we perform ethical hacking on your web application. This is replication of a real time attack executed in a controlled environment on pre agreed terms. Output of this stage is our test report which includes SMART action points. Our reports clearly differentiate between positive and negative test cases so that you know where you score and where you still need to improve. Hackers Locked provided us with a fast, efficient and high quality service. The final report was well presented, detailed and gave us confidence in the quality and robust nature of the testing carried out. Hackers Locked services are fully featured, responsive and represent excellent value for money. Matthew Hammond University of Edinburugh You Fix Your development team will convert our SMART action points to technical fixes for each vulnerability identified in the report and we will support your team with our expert advice. Output of this stage will be a readiness report for re-test. We-retest Once you fix the holes we re-test to ensure all the fixes are effective to prevent any compromise. This is done by doing a re-test and once we successfully verify the fix then the test will be concluded as a successful test resulting in a web application security certification. OUR ATTITUDE TOWARDS PENTEST In a penetration test we simulate hacker attacks, effectively exploiting vulnerabilities using rather sophisticated techniques to gain unauthorized access or forcing a web application to serve an unintended purpose by exploiting the business logic or technical blind spots that your developers overlooked. Corpedia's experience with Hacker's Locked was exceptional. Communication was prompt, service was great and the assessment thorough. Follow-up documentation and test case data was also very helpful. We would certainly use this service again! Scott Baugh Corpedia

4 OUR METHODOLOGY Hackers Locked has developed its own Penetration testing methodology called Hackers Proof. This is an advanced methodology created by HL s Security Research Team. This methodology enables Hackers Locked to apply dynamic Vulnerability Research and Propritory Exploit Development techniques to many aspects of testing during service delivery. Hackers Lockedpenetration testing deliverables are guaranteed to be free of false positives and usually include findings that cannot be identified with industry standard testing methodologies. Hackers Proof is highly flexible and designed to be augmented by specific modules based on customer requirements. Modules include but are not limited to key components of the Open Source Security Testing Methodology Manual (OSSTMM), key components of the Open Web Application Security Program (OWASP), and Hackers locked proprietary modules always. OUR EXPERTISE We strongly believe choosing the right people can make or break any business.we don t settle for clinical hackers. We hire the best of breed, out of the box thinkers in this field and offer you nothing but the real deal. This said our team is fully trained and compete with the best when it comes to professional credentials. Some of these accolades include : We depended on the expertise of Hackers Locked to identify and report on the security of our design. Hackers Locked quickly identified a number of vulnerabilities and counseled us on how to correct them. We feel confident that our system can now protect our clients data, and feel fortunate that we could engage Hackers Locked to do this. Dr. Eric Bechhoefer, NRG Systems NRG Systems

5 WEB APPLICATION PENETRATION TESTING SERVICE HL s Web Application Penetration Testing services are derived from the the Open Web Application Security Project (OWASP) and heavily augmented by Real Time Dynamic Testing. OWASP is the de facto standard for designing and testing secure web applications. Hackers Locked focuses on key areas of OWASP that include but are not limited to the following: Areas Covered AUTHENTICATION AUTHORIZATION BUSINESS LOGIC TESTING SESSION MANAGEMENT Explanation Hackers Locked will attempt to find weaknesses in the authentication mechanisms and if possible exploit those weaknesses. Hackers Locked will also verify that the authentication methods in place are sufficient for protecting the type of information being protected. Hackers Locked will assess the Authorization controls of the web application to ensure that only authorized users can perform allowed actions within their privilege level. Hackers Locked will assess the business logic of the web application. Business Logic Testing is unconventional as it attempts to disrupt the logic of an application. This is one of the key areas where we use our propritory testing techniques to get excellent results. Hackers Locked will assess the Session Management capabilities of the target to ensure that sessions once established can not be misused or hijacked. Industry Standards DS5 as outlined by OWASP. DS5 as outlined by OWASP and DS5 as outlined by OWASP. OWASP and NIST Framework for information security PO8 and PO8.4 as outlined by OWASP. DATA VALIDATION INTERPRETER INJECTION CANOCALIZATION, LOCALE and UNICODE ERROR HANDLING, AUDITING and LOGGING Hackers Locked will assess the target to ensure that it is sufficiently robust to protect against all forms of input data, whether obtained from the user, infrastructure, external entities, or database systems. Hackers Locked will assess the target to ensure that it is sufficiently robust to protect against well-known perimeter manipulation attacks that affect common interpreters. Hackers Locked will assess the target to ensure that it is sufficiently robust when subjected to encoded, internationalized and Unicode input. Often times these types of inputs are overlooked when creating a Web Application which enables attackers to manipulate Web Applications by using different types of encoding techniques.. Hackers Locked will ensure that errors are handeled in a secure manner and don t act as a source of information or data leak. COBIT T opics: DSS11 as outlined by OWASP. COBIT T opics: DSS11 as outlined by OWASP and guidelines in NIST information security framework. DS11.9 as outlined by OWASP DS11, DS11.4, and DS11.8 as outlined by OWASP. FILE SYSTEM Hackers Locked will assess the File System protection mechanisms that are in place to ensure that access to the local file system or any of the file systems are sufficiently protected from unauthorized manipulation or data viewing.. DS11, DS11.9, and DS11.20 that are outlined by OWASP

6 Areas Covered BUFFER OVERFLOWS ADMINISTRATIVE INTERFACES CRYPTOGRAPHY CONFIGURATION MANAGEMENT DENIAL OF SERVICE ATTACKS Explanation Hackers Locked will assess the target for Buffer Overflow vulnerabilities to ensure that the target does not expose itself to faulty components. These vulnerabilities often times enable attackers to compromise the system and eventually gain administrative levels of access to the system. Hackers Locked will assess the Administrative Interfaces for the target to ensure that administrative level functions are properly segregated from user activity, that users cannot access or utilize administrator functionality, and to ensure that the interfaces provide the proper auditing and tracking functions. Hackers Locked will assess the Cryptographic capabilities of the target to ensure that data is stored and transmitted in the safest possible manner with respect to the applications functions and requirements. Hackers Locked will assess the configuration of the target to ensure that no configuration vulnerabilities exist. Hackers Locked will also assess the configuration of the target to ensure out of box security should the target be re-deployed, or replicated. Hackers Locked will assess the target to ensure that it is not vulnerable to Denial of Service Attacks. Examples of these attacks would be Excessive CPU Consumption, Excessive Disk I/O Consumption and Excessive Network I/O Consumption. Industry Standards DS11.9 PO4 4.08, 4.10 as outlined by OWASP. DS5.18 as outlined by OWASP. DS6 as outlined by OWASP, ISO guidelines and NIST information security framework. Based on the CERT/CC framewwork OUR RELATED SERVICES Automated Vulenerability Scanning System Hackers Locked Vulnerability Scanning System (HLVS) puts the power of advanced security services in your hands through rich functionality, flexibility and ever improving fail-safe capabilities.it is completely browser-based enabling secure interaction and management from any location. HLVS does not require any new hardware or software, in other words seamless integration is the key to this solution.automated scanning adjustable to your business and customer needs. Automated custom reporting delivers comprehensive results to you without manual intervention right in the comfort of your home or office. HLVS threat database is updated every day via commercial and open source feeds. This means that you can stay ahead of the hackers and protect your infrastructure and web application from emerging threats.our threat alerting system wil send you a alert via SMS or as soon as a High or Critical issue is discovered. HLVS is a highly scalable solution which can let you scan from 1 to 1 million IP s with just few clicks.

7 Below is a snapshot of our HLVS benefits and sample security dashbaord

8 CONTACT US Do you have questions related to this service? USA Mailing Address: Hackers Locked Technologies 616 Corporate Way, Suite Valley Cottage, New York 10989, USA. Call : Web : info@hackerslocked.com 24 X 7 Online Chat Support USA Corporate Affairs : Provensec LLC 2711 Centerville Road, Suite 400, Wilmington, DE 19808, United States.