Obtain an accurate understanding of your security and risk posture, while ensuring compliance with industry regulators and information security best practices.
The overall goal of a product penetration test is to uncover software vulnerabilities, demonstrate the impact of the weaknesses, and provide recommendations for mitigation. During a penetration test, Praetorian has two primary objectives: the obtainment of unauthorized access and/or the retrieval of sensitive information. In this way, a Praetorian product security assessment provides a detailed and in-depth security analysis of an organization's critical applications within a product portfolio.
Vulnerabilities and compensating controls are categorized into the areas of configuration management, authentication and authorization, user and session management, data validation, error and exception handling, and data confidentiality. Using open source, proprietary, and commercial tools, Praetorian identifies both common and application-specific vulnerabilities. While our penetration tests do leverage automated scans, the majority of testing is performed through manual techniques since many application vulnerabilities hinge on logical and semantic flaws which, unlike syntactic bugs, are difficult to identify using automated analysis.
Product testing begins with network and operating system security tests to verify that the underlying platforms are configured securely. After performing initial platform testing, the penetration test shifts its focus to the application layer, which requires significant attention and comprises the majority of the engagement. Praetorian will first assume the role of an anonymous attacker who does not have valid credentials to the product.
If credentials are provided and authenticated testing is in scope, consultants will authenticate to the product using the roles of normal users to determine if valid users can exploit vulnerabilities to gain access to the underlying infrastructure or to information the user is not authorized to access. For role-based systems, testing is conducted across all user roles. This will not only ensure coverage across the entire product, but will also allow in-depth testing of complicated authorization controls. For these reasons, Praetorian will typically request two user accounts per role. As an example, Praetorian will test a user's ability to access another user's information within the same role as well as a user's ability to access another user's information at a higher role (vertical privilege escalation).
As vulnerabilities are discovered, Praetorian will exploit them in an attempt to achieve the primary objectives. Using commercial, open source, and proprietary tools, Praetorian implements a structured testing methodology to make the product assessment as efficient as possible.
Upon completion of the assessment Praetorian shall provide a single electronic report deliverable. The report will provide an analysis of the current state of the assessed security controls. The analysis will identify areas that need to be resolved in order to achieve an adequate level of security. The detailed contents of the deliverable are described below.
The report deliverable will include the following high level sections in a format suitable for management:
The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and recommendations: