Decrypting

Compliance gap analysis, forensic & threat analysis, vulnerability scanning – comprehensive IT security audits and assessments.

IT Security Assessments and AuditsThe principle idea behind carrying out this type of audit or assessment is to expose and identify information security weaknesses in applications, systems or networks whether custom developed or by a third party provider without a significant amount of post-exploitation, if you are looking for a significant amount of post-exploitation you may need Penetration testing.

Our Security Auditors use a combination of manual analysis of application logic , susceptibility to common attack vectors and insecure development practices with the latest commercial and open-source tools. Results are repeatable, measurable and reveal the root cause of a weakness so the correct remediation advice can be given.

It should not be confused with a vulnerability assessment or ‘scan’, which you can find here.

It should be noted that as part of a holistic security approach we strongly recommend that all aspects of your infrastructure be tested, assessed or audited in phases.

(attackers have no scope and will attack what they please)

Some of the types of IT security assessments and audits we perform include:


The cost of network downtime is massive, even for small and medium sized enterprises.

The costs of such outages are usually measured in minutes, not hours.

Our network security assessments are designed with this front and centre. Your network and attached infrastructure needs to be hardened in such a way that such a scenario is as minute a possibility as possible.

We attempt in our security audit to function as a both business continuity planning and hardening exercise, than a pure security audit, as there are so many factors which come into play that can cause downtime, apart from malware and hackers.

Over half of businesses do not even have a disaster and recovery plan, a security audit, which is very appealing to upper management is also a great time to have a conversation about disaster planning and incident response.

Talk with us

Web application assessments are our favourite. One should not have favourites, but web applications are exciting, dynamic and always an interesting challenge, web applications also account for the vast majority of security breaches, so our attention to this area is well warranted, especially given that most traditional IT security technologies have basically no impact on web applications.

We have extensive experience with assessing application security, we can perform this type of assessment with or without a penetration test depending on your needs or budget.

Websites pose a unique security risk to business and we enjoy the challenges this presents.

Our methodology for web applications is very similar to the attitude we take with penetration testing of networks, that is, attackers do not rely on expensive commercial tools. We take great pride in our web application testing methodology and reporting expectations, which is built upon and perfected over years of experience and feedback. It is based upon several well regarded standards, such as OWASP, and all results are always referenced against their appearance in the wild in actual exploits.

Methodology Summary

  • Open Source Analysis / Open Source Intelligence.
  • Network Mapping and Discovery.
  • Hosts Fingerprinting and Enumeration.
  • Vulnerability Identification, Exploitation and Analysis.
Talk with us

iOS & Android applications are commonly targeted by cyber threat actors, yet routinely under protected and examined. Commonly, developers will scan their application with a tool from GitHub or similar and call it a day.

If you’re processing payments on mobile, or collecting sensitive customer information you need to have your app independently verified.

Application testing comes in many shapes and forms, but the principle idea behind carrying out this type of security assessment is to expose information security weaknesses by simulating an attacker attempting to circumvent security controls and gain unauthorized accesses, like penetration testing, it should not be confused with a vulnerability assessment or ‘scan’ since ideally the source code of the app is included in the audit.

After identifying any security risks inside the mobile application, we scale them in order of severity so your team can focus on the areas of most concern or emphasize the importance of certain issues to management.

Methodology

  • Application Traffic Analysis and Sniffing
  • Runtime analysis and disassembly
  • Storage Investigation

Methodology used during the security audit builds on the framework supplied by OWASP.
Click here for a case study

Talk with us

It’s pretty common for firewalls to be poorly configured or not working at all to prevent attacks, but they sure do find a way to interrupt legitimate users!

The first step of a Firewall or IDS audit is to gather documentation so we understand how your business functions. Policies, Network Diagrams, IP address schemes, Firewall locations and rulesets are all things we will be asking for to conduct this assessment.

Common issues we discover are rules that have no effect, because they overlap or cancel out other rules, unused rules, Lack of commenting (business continuity issue) excessive amounts of ‘any’ service being allowed in inappropriate locations.

Talk with us

Secure code audits of: c++, c#, C, Java, Vb.net, PHP, Perl, Python, and Ruby at this time.

We’re also able to review Assembly — 32/bit bit x86 and ARM +Thumb mode.

Given the nature of this type of audit, we suggest you drop us a line to talk specifics of your application.

Our audits aren’t done with just security in mind, they extend throughout the whole software development life-cycle.

Talk with us

We begin by identifying undesirable events and associated critical assets.

We then assess the ease of which certain undesirable events could be carried out, such as:

  • Social Engineering.
  • Lock Picking.
  • Alternative means of access, such as Ventilation Systems.
  • Alarm System avoidance.
  • Destructive Entry.

Once this is completed, we then build a protection and remediation strategy to enable you to operate in a more secure fashion.

Talk with us

Web application assessments are our favourite. One should not have favourites, but web applications are exciting, dynamic and always an interesting challenge, web applications also account for the vast majority of security breaches, so our attention to this area is well warranted, especially given that most traditional security technologies have basically no impact on web applications.

We have extensive experience with assessing application security, we can perform this type of assessment with or without a penetration test depending on your needs or budget.

Websites pose a unique security risk to business and we enjoy the challenges this presents.

Our methodology for web applications is very similar to the attitude we take with penetration testing of networks, that is, attackers do not rely on expensive commercial tools. We take great pride in our web application testing methodology and reporting expectations, which is built upon and perfected over years of experience and feedback. It is based upon several well regarded standards, such as OWASP, and all results are always referenced against their appearance in the wild in actual exploits.

Methodology Summary

  • Open Source Analysis / Open Source Intelligence.
  • Network Mapping and Discovery.
  • Hosts Fingerprinting and Enumeration.
  • Vulnerability Identification, Exploitation and Analysis.
Talk with us
Fields marked with an * are required
Find out more
Recent Posts

Not-For-Profit & Education Discounts

18 July 2016

a team of highly skilled ethical hackers

Read More

Whitehack Information Security Consultant Finds Critical Vulnerability within AVG Owned Domain

30 June 2016

a team of highly skilled ethical hackers

Read More

ABC Four Corners Films Segment at WHITEHACK

03 June 2016

information security auditors, interview, four corners

Read More

ABC Radio Chat: TrainLink & Myspace Hack

31 May 2016

a team of highly skilled ethical hackers

Read More

Categories
News
Security