APPLICATION PENETRATION TESTING
Given the complexity of today’s environment, the traditional approach of securing applications through automated scanning tools is not an effective way of handling security. There is a need for a much more radical approach which should be robust, scalable, and able to connect with dynamics of application. Manual testing can effectively identify the vulnerabilities is an important component of this approach, along with skilled resources who have the expertise to interpret and provide solutions.
The different approaches to penetration testing include:
• Grey Box Testing
• Black Box Testing
• White Box Testing
WEB – To prevent your organization from possible breaches and reinforce existing security controls against a skilled attacker, our team offers penetration testing services based on a custom plan of a multistep attack that targets custom network infrastructure and applications.
Web application penetration testing uses manual and automated testing techniques to identify any vulnerability, security flaws or threats in a web application.
Our pen testing team has a wealth of experience with a wide range of web application frameworks and technologies, and is aligned to OWASP web security testing standards.
MOBILE – The drastic rise of smartphones in the workplace and everyday situations has made them the prime target for hackers. No computing device is 100% secure, and threat actors continue to explore new ways to exploit vulnerabilities on mobile devices. As per recent reports, 71% of fraud transactions came from mobile apps and mobile browsers in the second quarter of 2018.
Data breaches cost enterprises millions, and public reporting of a breach can severely impact a brand’s reputation. Since smartphone and mobile app use will only increase in the future, reliable mobile security is an absolute must.
Our team includes mobile application testing specialists on the iOS and Android platforms. Discover weaknesses in your mobile application APIs, and uncover vulnerabilities that could be exploited on a compromised device.
An API is a set of programming code that enables data transmission between one software product and another. It also contains the terms of this data exchange.
Web API security includes API access control and privacy, as well as the detection and remediation of attacks on APIs through API reverse engineering and the exploitation of API vulnerabilities as described in OWASP API Security Top 10.
Since data is exchanged in standard formats (XML, JSON), API testing is language agnostic. Any programming language can be used to create API tests. API responses can be easily validated since most languages have libraries to compare data in these formats. End-to-end testing can’t be done unless all parts of the application are ready. With API testing, the business logic can be tested early on even when the GUI is still under development. This also facilitates easier end-to-end testing at a later stage. Because APIs are usually well specified, API testing leads to high test coverage. Moreover, UI changes often during development. API tests based on well-defined specifications are easier to maintain.
THICK CLIENT – A thick client is a computer application runs as an executable on the client’s system and connects to an application server or sometimes directly to a database server. Unlike a web-based application, thick clients require a different approach to testing, as they are not easy to proxy using a client-side proxy tool such as Burp Suite.
The use of ‘security by obscurity’, where the coding team thinks that because the application is compiled into an executable, the testing team won’t come to know its internal workings is very common in these cases. This is evidenced by the use of hard-coded credentials, magic numbers, weak encryption, etc.
A very specific approach is used by our SMHR team while testing these applications which is followed after understanding application in terms of technologies used, functionality, behaviour, and entry points for user inputs, core security mechanisms used by the application, languages, and frameworks.