After years of neglecting Information Security, many organisations have now opened their eyes and have started hiring external security consultants test their applications.
These consultants typically come in for a few days every year and test the organisations’ web applications. They produce a report, which is then acted upon (or not, as it happens in many cases), and the matter is considered closed until the next year.
A False Sense of Security
The typical black box penetration test scenario described above gives organisations a false sense of security. Yes, these attacks simulate the behaviour of a real attacker. But they do not go deep enough. Have you ever asked yourself why year after year consultants keep finding new issues in applications which haven’t evolved much? Or why some consultants find a lot more vulnerabilities than others?
At Agile Information Security, we specialise in white box application testing and code review. We couple the typical hacker simulation with an in-depth review of your code using automated tools and manual checks. If there is a vulnerability in your application, we will find it. As we have found in dozens of proprietary and commercial applications. A typical security code review combined with a penetration test will find at least 50% more vulnerabilities than a penetration test alone.
Any confidential data given to us, including source code, is kept encrypted with the top industry standard algorithms and handled accordingly. After the engagement is done, we wipe the data within 30 days and our Non Disclosure Agreements are honoured in perpetuity.
Our consultants have accumulated years of experience of performing penetration tests on applications and systems. We simulate an attack on your system as a real hacker would in various ways.
Black Box Penetration Test
Our most basic service, which is the most commonly offered by security consultancies. We probe your application’s defences from the outside and attempt to subvert its controls, bypass its business rules of operation and take control of it. Our consultants will use their extensive experience, off-the-shelf and custom tools to try to identify and exploit any vulnerabilities in your application or system.
White Box Application Test
A much more comprehensive service than the Black Box Penetration Test. We perform the same tests but couple them with a “lightweight” code review. We review your code for the most common security vulnerabilities, such as Cross Site Scripting, SQL Injection, Code Execution, Cryptographic problems and many others.
This is the service we sell the most, and a way to get very quick “wins” if you are trying to improve your applications’ security stance.
It is also the method we use to find many vulnerabilities in proprietary and commercial software.
If you would like a more thorough and complete code review to find up to 100% of all the vulnerabilities in your code, we also have a service for that.
Infrastructure Penetration Test
Employing similar techniques to the Black Box Penetration Test, our experienced consultants will probe, scan and exploit the target network or networks for security vulnerabilities, and deliver a report detailing what was found and how to fix it. This test is useful for companies that want to test a specific part of the network, such as for example an affiliate or branch network, or even to test their entire network.
Red Teaming Penetration Test
Our most advanced offering - two or more of our consultants will be “dropped” in a target network, having User or Administrator level access to a desktop system inside the network. From then on, they will attempt to hack the highest number possible of desktops, servers and applications, and attempt to get Domain Administrator level on the network, while attempting to bypass existing protections like a real hacker would.
This type of test is extremely useful to understand how resilient a company is to an intruder which is already inside the network - the ultimate test in resilience and cyber security.
We also provide a range of more specialised services that can assist you in finding vulnerabilities. We are experts in fuzzing technologies, used mostly in product security assessments to understand the resilience of your native code against a malformed file or network packet.
Applicable To All Scenarios
The techniques described in this page are not only for applications. We can perform any of these services on servers, embedded devices, firewalls, smartphones, set-top boxes, laptops, workstations, routers, etc.
Reverse Engineering (RE) is more of an art than science, so the saying goes. However, with decades of combined experienced in “RE”, our consultants use their unique skills plus a combination of techniques developed over the years to minimise the time spent and deliver exactly what our clients want.
We have helped clients to reverse engineer:
- A proprietary file format, so that their products can work with those files.
- A product validation algorithm, to allow third party products to pass that validation as an original product would, enabling interoperation.
- An outdated application, for which there is no source code, so that the client can replace this legacy application with a newer middleware layer.
- Third party code to discover and develop exploits for previously unknown (0 day) vulnerabilities.
We have reverse engineered applications and products written in C, C++, C#, Java, Python, Ruby, Go, Rust and others.
Our consultants have ample experience reversing binary applications for which there is no source, only assembly code such as x86, x64, ARM, MIPS, SH-4 and others.
Please note that due to the specialised nature of these services, some of them cannot be offered outside certain regions. For example, it is allowed to reverse engineer a product for interoperability purposes in the European Union and United States, but that might be illegal in other jurisdictions. Even in the US and EU, is it not legal to bypass Digital Rights Management protections in most cases.
Vulnerability research and exploit development services can only be offered to clients which are based in NATO countries.
Even the best security systems fail, and sometimes all that is needed is a careless employee or developer that allows a hacker inside your network. Incidents occur, and when they do, the best is to deal with them as quickly as possible.
If you are the victim of a hacking attack or security breach, we can assist you with:
- Securing the network and kick out the attackers.
- Determining the cause of the breach.
- Establishing what information was stolen or deleted, and what damage was done by the attackers.
- Monitor the network to ensure the attackers do not come back.
- Ensuring that similar breaches do not happen again.
We offer a comprehensive network monitoring service for small and medium enterprises.
Our approach is to deploy battle-tested sensors on your network to detect and prevent any malicious attacks on it. The sensors are constantly monitored to ensure any attack is detected quickly and dealt it.
Our experienced consultants review the output of these sensors on a regular basis to ensure they are kept up to date with the latest vulnerability and hacking detection technologies. If you have a Security Information and Event Management system (SIEM) we will connect our sensors to it to give you a full view of what is happening on your network.
Please note that this is not a 24/7 monitoring service, but more of an early alert system.
If you would like to have a 24/7 monitoring service, we can assist you in selecting a supplier, help you deploy security products such as SIEM and develop in house capabilities to monitor your network, as we have done before for both small and large clients.
Most companies perform penetration tests, code reviews and similar risk management exercises on their products.
However, this is a case of “closing the stable door after the horse has bolted”. In reality, proper security engineering starts at the design phase of any product.
Designing your product with security in mind is 1000 times less costly than doing it after releasing it.
At Agile Information Security, we have ample experience helping clients develop secure software. We help you analyse the data flows, components, authentication, authorization, data storage, encryption and other key parts of the product to ensure they are secure from the start, saving you millions of dollars in future problems.
We recommend this service offering to any company that is developing products for commercial, governmental or military use.
Contact us today to find out how we can help you.