GOAL: To assess the readiness of the application and the underlying network infrastructure to defend against potential threat actors
GREY BOX (Using credentials): Simulate a privileged user with access to information about the system’s structure and authentication
WHITE BOX (with code and access to source code): Simulate a privileged internal user with full access to information about the system’s structure and code base
BLACK BOX: Simulate an external user with no knowledge of the system’s internal workings or codebase, relying solely on input and output analysis to test the functionality and behavior of the software.
COVERAGE:
-
A hybrid testing approach will be employed that combines manual testing tools, custom scripts, and automated scanners.
- All potential threats, which include business functionality and insider threats, will be identified and tested comprehensively. A static secure code scan will be conducted using a widely-used commercial tool to uncover vulnerabilities at the code level without executing the code. This approach takes an "inside out" perspective on testing.
- The reports will provide detailed information on an attack's actual impact on the business and the technical specifics of each identified vulnerability.
- The identified vulnerabilities will be mapped against regulatory standards and compliance frameworks such as HIPAA, PCI, SOC 2, and ISO 27001.
KEY AREAS COVERED IN APPLICATION Penetration Testing
AUTHENTICATION AND AUTHORIZATION
Evaluate the Security of authentication and authorization mechanisms
INPUT
VALIDATION
Verify the adequacy of input validation to prevent common attacks
SESSION
MANAGEMENT
Ensure secure and robust session management to prevent hijacking
ERROR
HANDLING
Review error handling mechanisms to prevent leakage of sensitive information
THIRD-PARTY COMPONENTS
Assess the security of third-party components for vulnerabilities and updates
BUSINESS
LOGIC
Verify the adequacy of input validation to prevent common attacks
CLIENT-SIDE
SECURITY
Ensure secure and robust session management to prevent hijacking
FILE AND RESOURCE MANAGEMENT
Review error handling mechanisms to prevent leakage of sensitive information