A penetration test is a method of evaluating the security of a computer
system or network by simulating an attack from a malicious source, known as
a "Hacker". The process involves an active analysis of the system
for any potential vulnerabilities that may result from poor or improper system
configuration, known and/or unknown hardware or software flaws, or operational
weaknesses in process or technical countermeasures. This analysis is carried
out from the position of a potential attacker, and can involve active exploitation
of security vulnerabilities. Any security issues that are found will be presented
to the system owner together with an assessment of their impact and often
with a proposal for mitigation or a technical solution. The intent of a penetration
test is to determine feasibility of an attack and the amount of business impact
of a successful exploit, if discovered.
Primeon provides Application Ethical Hacking/Penetration Testing "Blackbox".
Within this offering, Primeon tests login to logout all functions and the
infrastructure on which the application resides. This service extends well
beyond tools, which are only finding less than 5% of the applications vulnerabilities.
Primeon requests 2 "conditioned" test accounts per each user level
and follows the apps workflow from start to finish to identify deeply rooted
vulnerabilities that go completely undetected by other approaches. Sr.engineers/testers
rolling up their sleeves to perform this comprehensive "deepdive"
truly differentiates Primeon within the application security marketplace.
This offering utilizes the Primeon unique methodology, vulnerability knowledge
base, and proprietary tools to identify the following common security issues:
- Invalid Parameters
- Broken Access Control
- Broken Account and Session Management
- XSS
- Buffer Overflows
- Command Injection Flaws
- Error Handling Problems
- Insecure Use of Cryptography
- Remote Administration Flaws
- Web and App Server Misconfiguration
A typical Ethical Hacking service engagement includes the following components:
Threat Modeling - Analyzing the appropriate targets and their potential
threats.
Discovery - Building information about the application and its hosting
environment.
Vulnerability Scanning - Testing system/service/application for known
vulnerabilities.
Manual Testing - Using the advanced testing tools to walk through the
complex business logic flow.
The tests include:
- Authentication test covering the requirements for Broken
Access Control
- Input validation test covering the requirements for XSS,
Buffer Overflows and Command Injection Flaws
- Parameter manipulation test covering the requirements
for Invalid Parameters
- Configuration management test covering the requirements
for Web and App Server Misconfiguration and Remote Administration Flaws
- Session management test covering the requirements for
Broken Account and Session Management
- Exception management test covering the requirements for
Error Handling Problems
- Authorization test covering the requirements for Broken
Access Control and Remote Administration Flaws
- Other tests as potential exploits are revealed covering
the requirements for Insecure Use of Cryptography, etc.
Analysis - Analyzing the results from previous components
for potential impact.
Reporting - Detailed findings and recommendations.