© White Hack | Privacy Policy
Compliance gap analysis, forensic & threat analysis, vulnerability scanning – comprehensive IT security audits and assessments.
The principle idea behind carrying out this type of audit or assessment is to expose and identify information security weaknesses in applications, systems or networks whether custom developed or by a third party provider without a significant amount of post-exploitation, if you are looking for a significant amount of post-exploitation you may need Penetration testing.
Our Security Auditors use a combination of manual analysis of application logic , susceptibility to common attack vectors and insecure development practices with the latest commercial and open-source tools. Results are repeatable, measurable and reveal the root cause of a weakness so the correct remediation advice can be given.
It should not be confused with a vulnerability assessment or ‘scan’, which you can find here.
It should be noted that as part of a holistic security approach we strongly recommend that all aspects of your infrastructure be tested, assessed or audited in phases.
(attackers have no scope and will attack what they please)
Some of the types of IT security assessments and audits we perform include:
The cost of network downtime is massive, even for small and medium sized enterprises.
The costs of such outages are usually measured in minutes, not hours.
Our network security assessments are designed with this front and centre. Your network and attached infrastructure needs to be hardened in such a way that such a scenario is as minute a possibility as possible.
We attempt in our security audit to function as a both business continuity planning and hardening exercise, than a pure security audit, as there are so many factors which come into play that can cause downtime, apart from malware and hackers.
Over half of businesses do not even have a disaster and recovery plan, a security audit, which is very appealing to upper management is also a great time to have a conversation about disaster planning and incident response.
Talk with usWeb application assessments are our favourite. One should not have favourites, but web applications are exciting, dynamic and always an interesting challenge, web applications also account for the vast majority of security breaches, so our attention to this area is well warranted, especially given that most traditional IT security technologies have basically no impact on web applications.
We have extensive experience with assessing application security, we can perform this type of assessment with or without a penetration test depending on your needs or budget.
Websites pose a unique security risk to business and we enjoy the challenges this presents.
Our methodology for web applications is very similar to the attitude we take with penetration testing of networks, that is, attackers do not rely on expensive commercial tools. We take great pride in our web application testing methodology and reporting expectations, which is built upon and perfected over years of experience and feedback. It is based upon several well regarded standards, such as OWASP, and all results are always referenced against their appearance in the wild in actual exploits.
Methodology Summary
- Open Source Analysis / Open Source Intelligence.
- Network Mapping and Discovery.
- Hosts Fingerprinting and Enumeration.
- Vulnerability Identification, Exploitation and Analysis.
iOS & Android applications are commonly targeted by cyber threat actors, yet routinely under protected and examined. Commonly, developers will scan their application with a tool from GitHub or similar and call it a day.
If you’re processing payments on mobile, or collecting sensitive customer information you need to have your app independently verified.
Application testing comes in many shapes and forms, but the principle idea behind carrying out this type of security assessment is to expose information security weaknesses by simulating an attacker attempting to circumvent security controls and gain unauthorized accesses, like penetration testing, it should not be confused with a vulnerability assessment or ‘scan’ since ideally the source code of the app is included in the audit.
After identifying any security risks inside the mobile application, we scale them in order of severity so your team can focus on the areas of most concern or emphasize the importance of certain issues to management.
Methodology
- Application Traffic Analysis and Sniffing
- Runtime analysis and disassembly
- Storage Investigation
Methodology used during the security audit builds on the framework supplied by OWASP.
Click here for a case study
It’s pretty common for firewalls to be poorly configured or not working at all to prevent attacks, but they sure do find a way to interrupt legitimate users!
The first step of a Firewall or IDS audit is to gather documentation so we understand how your business functions. Policies, Network Diagrams, IP address schemes, Firewall locations and rulesets are all things we will be asking for to conduct this assessment.
Common issues we discover are rules that have no effect, because they overlap or cancel out other rules, unused rules, Lack of commenting (business continuity issue) excessive amounts of ‘any’ service being allowed in inappropriate locations.
Talk with usSecure code audits of: c++, c#, C, Java, Vb.net, PHP, Perl, Python, and Ruby at this time.
We’re also able to review Assembly — 32/bit bit x86 and ARM +Thumb mode.
Given the nature of this type of audit, we suggest you drop us a line to talk specifics of your application.
Our audits aren’t done with just security in mind, they extend throughout the whole software development life-cycle.
Talk with usWe begin by identifying undesirable events and associated critical assets.
We then assess the ease of which certain undesirable events could be carried out, such as:
- Social Engineering.
- Lock Picking.
- Alternative means of access, such as Ventilation Systems.
- Alarm System avoidance.
- Destructive Entry.
Once this is completed, we then build a protection and remediation strategy to enable you to operate in a more secure fashion.
Talk with usWeb application assessments are our favourite. One should not have favourites, but web applications are exciting, dynamic and always an interesting challenge, web applications also account for the vast majority of security breaches, so our attention to this area is well warranted, especially given that most traditional security technologies have basically no impact on web applications.
We have extensive experience with assessing application security, we can perform this type of assessment with or without a penetration test depending on your needs or budget.
Websites pose a unique security risk to business and we enjoy the challenges this presents.
Our methodology for web applications is very similar to the attitude we take with penetration testing of networks, that is, attackers do not rely on expensive commercial tools. We take great pride in our web application testing methodology and reporting expectations, which is built upon and perfected over years of experience and feedback. It is based upon several well regarded standards, such as OWASP, and all results are always referenced against their appearance in the wild in actual exploits.
Methodology Summary
- Open Source Analysis / Open Source Intelligence.
- Network Mapping and Discovery.
- Hosts Fingerprinting and Enumeration.
- Vulnerability Identification, Exploitation and Analysis.