Vulnerability assessment (security test)
Reviewing the security of your IT environment is a custom service. Secura will work with you, taking into account your specific desires and the components that are vitally important to the running of your business. We use various methods to investigate the technical security risks of your (web) applications and IT infrastructures. In doing this, we will take into account your organisation's public profile and the damage cybercrime could do to your reputation. No matter what industry your organisation is in.
We record the outcomes of the security test in a clear report with a concise management summary, an extensive risk analysis for each outcome and recommendations on a strategic, tactical and operational level.
Within our methodology we use various tooling and phases, such as reconnessaince, threat assessment, vulnerability assessment and vulnerability scanning. An important dimension to our tests is whether or not we have prior information and understanding of the target. There are three levels to (roughly) distinguish between:
Crystal, grey or black box security test
Crystal box test
Our consultants have prior access to all relevant information, such as internal source codes, configuration files and (design) documentation. This test is also known as a white box test. The major advantage of this in-depth assessment method is the ability to assess how problems have been solved. Was a structural solution chosen, or has use been made of ad hoc 'fire fighting', has the software been solidly designed and well documented? These matters of quality determine to a substantial degree the level of your future digital security.
Black box test
Our consultants receive little to no information in advance. A black box test is comparable to an attack by digital intruders (within the time available). We use this to verify what can be done without credentials. For example, is it possible to bypass the login procedure?
Grey box test
The grey box is an intermediate form, in which our consultants have credentials and possibly user documentation available. We use this test to assess how a registered user could abuse the IT environment. Is it possible to assume the identity of another user or the application administrator? Is it possible to gain unauthorised access to data? Is it possible to take control of a session or to guess session IDs?
Out of all the things we do, a penetration test (or pentest) most appeals to the imagination. Secura's consultants use the available time to look for a weak spot in your security and subsequently attempt to exploit it, for example to penetrate further into a LAN- or extranet environment. A Secura penetration test resembles a black box test, but is notably different.