The term ‘security assessment’ is used to describe the process of assessing a system, such as a network or an application, for the purpose of finding security flaws that can lead to cyber attacks. There are several ways to perform security assessments for a system. At Software Secured, we follow an attack simulation approach, combining the latest hacking techniques, which are manually executed by our experienced engineers. In addition, we apply our proprietary testing stack, advanced threat modeling, and real-time portal dashboard for reporting, giving you the best coverage and depth in the industry.
We use several techniques in our attack simulation to automate the discovery of basic attacks. We continue pushing the boundaries of what tools are capable of finding, giving us the chance to spend more manual testing time on finding harder to discover vulnerabilities, such as business logic vulnerabilities. Quarterly deep assessments to locate vulnerabilities and continuous re-testing on patched issues ensure that the application is covered year-round, both during and between major releases.
We follow a stringent process, combined with a checklist of over 200 security items that are reviewed in every assessment. Our checklist is continuously updated with the most recent techniques to ensure that as many code paths in the application have been tested. Better yet, our pentesters apply their creativity and intuition to go deeper, finding new vulnerabilities beyond the checklist, creating a true attack simulation.
We spend a fair amount of time understanding the business purpose of the application through threat modeling, allowing us to go deeper and understand the attacker’s motivation. By assessing various use cases, we unlock insights into potential vulnerabilities in the application design that would otherwise remain hidden.
Given our three areas of focus, we follow a seven-step process with every assessment:
This stage is all about understanding the application and its unique business logic. Meetings with the client and pen test provider help ensure that all parties are well-informed about the test. The test environment must be ready at this point.
Building out a threat model is essential to understand the common use cases of the application. An effective threat model can also identify security risks in the design of the application, which may be difficult to change at a later stage. But understanding these risks early helps prepare the rest of the security plan to work around them.
The fun begins. Pen testers start diving deep into the application with a mix of manual and automated approaches.
As critical vulnerabilities are identified, the client is notified immediately. Steps to reproduce the issue are shared with the client so that their development team can begin remediation as soon as possible.
The less severe vulnerabilities found during the early stages of the pen test are exploited and escalated as much as possible without affecting the function of the application (for instance, if a pen tester is testing a vulnerability and it risks taking down the entire application, they’ll take it as far as possible without creating any actual harm). Test environments and test accounts are created to prevent any real damage and exploitation to the live application.
Upon completion, pen testers will gather all found issues, regardless of severity, into a report. A good penetration testing provider should also include steps for replicating the issue so that the client’s development team can mitigate the issue.
After the report is delivered, the client may patch several vulnerabilities. A quality pen test provider will be able to retest these known vulnerabilities shortly after to verify that they have been fixed correctly or sufficiently. In some cases, the pen tester may require that the client develops a complete fix, and in other cases a “band-aid” solution may suffice for critical issues that need deeper attention later.
When all is good to go, the pen test provider can offer a certificate to the client as proof of application security. This certification is essential when earning compliance, such as SOC 2 or ISO 27500. It’s also helpful for closing enterprise deals (learn more about vendor security questionnaires here) or for startups that want to generate higher investor appeal.
Our attack simulation approach to security assessment can be delivered as a one-off engagement or continuously managed. Learn more about the differences between different types of application security testing today.