There are two types of penetration tests we provide our clients:
• Application; and
During an Application penetration test we use the OWASP application testing methodology to manually test each of fields in your application to ensure no vulnerabilities are present which can be exploited to gain unauthorised access. If requested we use commercial tools such as nessus and burpsuite however this increases the cost of the test and we believe does not add value to the client, as nessus results can be replicated using openVAS. If a vulnerability is found we write custom scripts to extract or inject data and work with you fix the issue.
A hardware/Network penetration test is done by mapping the internet facing network infrastructure, identifying the open ports, firewalls and rules implemented between networks as well as os versions running on any external devices. A relevant vulnerability scan is then conducted and if weaknesses are found these are either communicated or exploited depending on client requirements.
PCI Compliance Testing;
We are fully conversant with the technical security requirements for PCI. We are up to date with version 2.0 of the PCI standard as well as the Point to Point Encryption standard released in September 2011.
For clients who require PCI compliance this means that any solution or design proposal which incorporates open source methodologies or technologies is going to be PCI compliant right from the design to the implementation.
We document our work completely and thoroughly so that handovers, training and documentation is always of the highest professional standard and clients have a 100% understanding of the work carried out and where relevant the hardware/software setups.
Application Firewall implementations (Opensource);