After years of neglecting Information Security, many organisations have now opened their eyes and have started hiring external security consultants test their applications.
These consultants typically come in for a few days every year and test the organisations’ web applications. They produce a report, which is then acted upon (or not, as it happens in many cases), and the matter is considered closed until the next year.
A False Sense of Security
The typical black box penetration test scenario described above gives organisations a false sense of security. Yes, these attacks simulate the behaviour of a real attacker. But they do not go deep enough. Have you ever asked yourself why year after year consultants keep finding new issues in applications which haven’t evolved much? Or why some consultants find a lot more vulnerabilities than others?
Our Difference
At Agile Information Security, we specialise in white box application testing and code review. We couple the typical hacker simulation with an in-depth review of your code using automated tools and manual checks. If there is a vulnerability in your application, we will find it. As we have found in dozens of proprietary and commercial applications. A typical security code review combined with a penetration test will find at least 50% more vulnerabilities than a penetration test alone.
Full Confidence
Any confidential data given to us, including source code, is kept encrypted with the top industry standard algorithms and handled accordingly. After the engagement is done, we wipe the data within 30 days and our Non Disclosure Agreements are honoured in perpetuity.
Our consultants have accumulated years of experience of performing penetration tests on applications and systems. We simulate an attack on your system as a real hacker would in various ways.
Black Box Penetration Test
Our most basic service, which is the most commonly offered by security consultancies. We probe your application’s defences from the outside and attempt to subvert its controls, bypass its business rules of operation and take control of it. Our consultants will use their extensive experience, off-the-shelf and custom tools to try to identify and exploit any vulnerabilities in your application or system.
White Box Application Test
A much more comprehensive service than the Black Box Penetration Test. We perform the same tests but couple them with a “lightweight” code review. We review your code for the most common security vulnerabilities, such as Cross Site Scripting, SQL Injection, Code Execution, Cryptographic problems and many others.
This is the service we sell the most, and a way to get very quick “wins” if you are trying to improve your applications’ security stance.
It is also the method we use to find many vulnerabilities in proprietary and commercial software.
If you would like a more thorough and complete code review to find up to 100% of all the vulnerabilities in your code, we also have a service for that.
Infrastructure Penetration Test
Employing similar techniques to the Black Box Penetration Test, our experienced consultants will probe, scan and exploit the target network or networks for security vulnerabilities, and deliver a report detailing what was found and how to fix it. This test is useful for companies that want to test a specific part of the network, such as for example an affiliate or branch network, or even to test their entire network.
Red Teaming Penetration Test
Our most advanced offering - two or more of our consultants will be “dropped” in a target network, having User or Administrator level access to a desktop system inside the network. From then on, they will attempt to hack the highest number possible of desktops, servers and applications, and attempt to get Domain Administrator level on the network, while attempting to bypass existing protections like a real hacker would.
This type of test is extremely useful to understand how resilient a company is to an intruder which is already inside the network - the ultimate test in resilience and cyber security.
Fuzzing
We also provide a range of more specialised services that can assist you in finding vulnerabilities. We are experts in fuzzing technologies, used mostly in product security assessments to understand the resilience of your native code against a malformed file or network packet.
Applicable To All Scenarios
The previously described Penetration Testing Services are applicable to applications, servers, embedded devices, firewalls, smartphones, set-top boxes, laptops, workstations, routers, etc.
Reverse Engineering (RE) is more of an art than science, so the saying goes. However, with decades of combined experienced in “RE”, our consultants use their unique skills plus a combination of techniques developed over the years to minimise the time spent and deliver exactly what our clients want.
Our Experience
We have helped clients to reverse engineer:
- A proprietary file format, so that their products can work with those files.
- A product validation algorithm, to allow third party products to pass that validation as an original product would, enabling interoperation.
- An outdated application, for which there is no source code, so that the client can replace this legacy application with a newer middleware layer.
- Third party code to discover and develop exploits for previously unknown (0 day) vulnerabilities.
We have reverse engineered applications and products written in C, C++, C#, Java, Python, Ruby, Go, Rust and others.
Our consultants have ample experience reversing binary applications for which there is no source, only assembly code such as x86, x64, ARM, MIPS, SH-4 and others.
Legality
Please note that due to the specialised nature of these services, some of them cannot be offered outside certain regions. For example, it is allowed to reverse engineer a product for interoperability purposes in the European Union and United States, but that might be illegal in other jurisdictions. Even in the US and EU, is it not legal to bypass Digital Rights Management protections in most cases.
Vulnerability research and exploit development services can only be offered to clients which are based in NATO countries.
Most companies perform penetration tests, code reviews and similar risk management exercises on their products.
However, this is a case of “closing the stable door after the horse has bolted”. In reality, proper security engineering starts at the design phase of any product.
Designing your product with security in mind is 1000 times less costly than doing it after releasing it.
At Agile Information Security, we have ample experience helping clients develop secure software. We help you analyse the data flows, components, authentication, authorization, data storage, encryption and other key parts of the product to ensure they are secure from the start, saving you millions of dollars in future problems.
Having said that, if your product is already in production and needs an update to it’s architecture, or if you would like to perform a Threat Modelling exercise in order to uncover possible vulnerabilities and risks, we are here to assist you.
We recommend these services to any company that is developing products for commercial, government, law enforcement or military use.
A holistic service that fuses our experience in Penetration Testing, Fuzzing, Vulnerability Research, Reverse Engineering, Hardware Security, Secure Architecture and many other skills.
We take apart your products as a hacker would, employing skills honed in years of research and hacking, and find ways to subvert its security controls, obtain sensitive data, reveal secrets and perform unintended actions. Our consultants have extensive experience in this field, having worked for some of the largest companies in the world providing product security services on everything from mobile phones to embedded servers, applications and cloud infrastructure.
We will help you uncover vulnerabilities and bad practices in your flagship products with advanced techniques way beyond our competitors’ capabilities. Some of our consultants have won several hacking competitions such as the world renowned Pwn2Own, which focus exclusively on product security, beating companies from large multinationals.
Even the best security systems fail, and sometimes all that is needed is a careless employee or developer that allows a hacker inside your network. Incidents occur, and when they do, the best is to deal with them as quickly as possible.
Incident Response
If you are the victim of a hacking attack or security breach, we can assist you with:
- Securing the network and kick out the attackers.
- Determining the cause of the breach.
- Establishing what information was stolen or deleted, and what damage was done by the attackers.
- Monitor the network to ensure the attackers do not come back.
- Ensuring that similar breaches do not happen again.
Network Monitoring
We can also help you develop your Network Monitoring capabilities.
Our consultants have plenty of experience assist small and large organisations with creating, developing and improving their Security Information and Event Management systems. Our objective is to provide you with knowledge, tools and training in order to be able to increase staff competence and expertise in order to monitor your own networks and respond to security events.
Our unique application and infrastructure security knowledge can quickly identify gaps in your logging capabilities, monitoring systems and data flow tracking, and provide you with cost effective solutions to fill those gaps.
Contact us today to find out how we can help you.