After years of neglecting Information Security, many organisations have now opened their eyes and have started hiring external security consultants test their applications. These consultants typically come in for a few days every year and test the organisations’ web applications. They produce a report, which is then acted upon (or not, as it happens in many cases), and the matter is considered closed until the next year.
A false sense of security
The typical black box penetration test scenario described above gives organisations a false sense of security. Yes, these attacks simulate the behaviour of a real attacker. But they do not go deep enough. Have you ever asked yourself why year after year consultants keep finding new issues in applications which haven’t evolved much? Or why some consultants find a lot more vulnerabilities than others?
At Agile Information Security, we specialise in white box application testing and code review. We couple the typical hacker simulation with an in-depth review of your code using automated tools and manual checks. If there is a vulnerability in your application, we will find it. As we have found in dozens of proprietary and commercial applications. A typical security code review combined with a penetration test will find at least 50% more vulnerabilities than a penetration test alone.