Application Security Assessment Services – Security Assessments in Malaysia

CYBER SECURITY ASSESMENT SERVICES

Penetration Testing Services

Organizations are building, maintaining and improving their network defenses against internal and external malicious users and attackers every day. While understanding how well these defenses withstand adversaries, is imperative to keep your fortress secure.

HeBeSec group takes the time to understand our client’s business and think like an attacker would. This allows us to gain a holistic overview, as well as a technical point of view. Using set objectives, we will identify the weakest link first, and then escalate until one or several bastions fall, and we gain privileged access to information or systems.

Our penetration testing services leverage a hybrid approach composed of automated and manual testing methods for an in-depth review of the target systems & applications. During the assessment, our mission is to identify all possible vulnerabilities and security weaknesses affecting the assets in scope. Once a vulnerability has been discovered, our experts will attempt to exploit it in a safe and controlled manner to demonstrate the potential impact to the client.

Types of Penetration Tests

Web Applications

Comprehensive pen test of your web applications, web services and APIs that may be used to store and access critical business information, with the goal to identify and exploit web-borne vulnerabilities. Our ethical hackers will use advanced skills and techniques required to test modern web applications and next-generation technologies.

Network & Server Infrastructure

Evaluation of your internal or external information assets’ ability to withstand attacks. Our world-class penetration testers, armed with the same techniques as cybercriminals, will attempt to break into your network, IT infrastructure, cloud environment, and servers to raise awareness about vulnerabilities and the effects of exploitation, as well as end-user adherence to security policies.

Mobile Applications

Security review of your mobile applications to identify vulnerabilities specific to mobile computing environments, such as those defined by the Open Web Application Security Project (OWASP) and other emerging industry standards.

Wireless Networks

Comprehensive wireless security assessment services, ranging from traditional Wi-Fi networks to specialized wireless systems, which include identifying and exploiting vulnerabilities and providing guidance to strengthen such identified weaknesses.

Thick-Client

Our thick-client penetration testing services are designed to provide a comprehensive security assessment of your application, covering all layers from the client-side to data in transit and server-side. Our team of experienced pen-testers will perform an in-depth analysis of your thick-client application to identify and exploit vulnerabilities.

Active Directory (AD)

Our Active Directory penetration testing services are designed to identify weaknesses in Microsoft Windows Active Directory environments that could lead to privilege escalation and domain dominance situations. Our experienced pen-testers will use advanced techniques and tools to assess the security of your Active Directory environment, including identifying weaknesses in authentication, authorization, and access control mechanisms.

What Are We Testing During a Penetration Test?

The execution of our network penetration test is composed of three main phases explained below:

Active & Passive Reconnaissance

During this phase, our experts are performing an online reconnaissance using Open-source intelligence (OSINT) techniques to discover information about the target organization and systems. In addition, underlying components such as operating systems, running services, software versions, etc., are identified and fingerprinted to allow us to craft our attack in an informed fashion, elevating our probability of success.

Vulnerability Identification

Assessment that consists of evaluating the information assets in scope against 80'000+ vulnerabilities and configuration checks, in addition to CWE/SANS TOP 25 Most Dangerous Software Errors and OWASP Top Ten vulnerabilities. wizlynx group uses several vulnerability scanners, as well as manual techniques, to test the many services that are reachable via the network such as SMTP, HTTP, FTP, SMB, SSH, SNMP, DNS, etc. The following vulnerability types can be identified (non-inclusive list):

Service-Side Exploitation

-Remote code execution
-Buffer overflow
-Code Injection
-Web Application exploitation (XSS, SQLi, XXE, CSRF, LFI, RFI, and more)

Network Manipulation & Exploitation

– VLAN Hopping attacks
– ARP Spoofing
– HSRP/VRRP Man-In-The-Middle attack (MiTM)
– Routing Protocols MiTM

Identity & Authentication Weakness Exploitation

– Default username and password
– Weak and guessable user credentials

Privilege Escalation

– Race conditions
– Kernel attacks
– Local exploit of high-privileged program or service

Vulnerability Exploitation

Using a hybrid approach (automated and manual testing), our security analysts will attempt to gain privileged access to the target systems in a controlled manner by exploiting the identified vulnerabilities in previous phase “Vulnerability Identification”.

Supported Web Application Testing Approaches

Blackbox Testing Approach

Refers to testing a system without having specific knowledge of the inner workings of the information asset, no access to the source code, and no knowledge of the architecture. This approach closely mimics how an attacker typically approaches a web application at first. However, due to the lack of application knowledge, the uncovering of bugs and/or vulnerabilities can take significantly longer and may not provide a full view of the application's security posture.

Greybox Testing Approach

Refers to testing the system while having some knowledge of the target asset. This knowledge is usually constrained to the URL of the application, as well as user credentials representing different user roles. Greybox testing allows focus and prioritized efforts based on superior knowledge of the target system. This increased knowledge can result in identifying more significant vulnerabilities, while putting in much less effort.

Whitebox Testing Approach

Refers to testing the system while having full knowledge of the target system. At wizlynx group, our whitebox penetration test is composed of a greybox test combined with a secure code review. Such assessments will provide a full understanding of the application and its infrastructure’s security posture.

What Will You Get?

All findings will be documented in a final report which will include a comprehensive and meaningful C-level summary. Additionally, it will include all detailed results with respective supporting evidences, explanations, risk rating using CVSS, and recommendations for future security measures.