Attack Simulation Approach
The term security assessment is used to describe the process of auditing a system, such as a network or an application, for the purpose of finding security flaws that can lead to cyber attacks. There are several ways that to perform security assessments for a system.
At Software Secured, we follow an attack simulated approach, combining the latest hacking techniques, which are manually executed by our experienced engineers. In addition, we apply our unique process, checklists and hacking book, giving you the best coverage and depth in the industry.
We focus on optimizing on 3 factors:
1. Coverage: we use several techniques to automate the discovery of basic attacks. We continue pushing the boundaries of what tools are capable of finding, giving us the chance to spend more manual testing time on finding harder to discover vulnerabilities, such as business logic vulnerabilities.
2. Depth: we follow a stringent process, combined with a checklist of 120+ security items that are reviewed in every assessment. Our checklist is continuously updated with the most recent techniques to ensure that as many code paths in the application have been tested.
3. Attack Simulation: we spend a fair amount of time understanding the business purpose of the application allowing us to go deeper and understand the attacker’s motivation. This uncovers potential vulnerabilities that are usually hidden.
Given our 3 areas of focus, we follow a 6 step process with every assessment:
1. Kickoff Meeting
We begin with a kickoff meeting with the client to understand the business purpose of the application, this helps us better understand who is most likely to attack the application.
2. Threat Modelling Exercise
A threat modelling exercise is performed next. Threat modelling breaks down the system and outlines how and where the attacker can pose a threat. The artifact of this step is a set of application specific test cases and attacks that are unique for the system under test.
We use best in class tools customized to fit the attack simulation process, combined with our proprietary tools and scripts to provide you with a more thorough assessment.
4. Attack simulation
Our security engineers apply their collective hacking experience combined with latest attack techniques to simulate what an attacker would do in a real life hacking scenario.
5. Coverage Control
Using our checklist which consists of over 120+ security checklist items, helps to ensure all bases are covered. This ensures that most of the application’s code paths are tested and maximum coverage is maintained for every assessment.
finally, our team compiles the list of issues into an actionable report. Each issue is explained in detail along with the risk level associated with it, steps to reproduce, proof of concept, and detailed remediation steps.
Our attack simulated approach to security assessment can be delivered as a one-off engagement or continuously managed.