Companies are more and more dependent on data. Be it for sales, R&D, or their actual product portfolio. Protecting this data is vital, and often also compulsory (for instance when it concerns personal information). Data is accessed by authorised users through applications that contain business logic and security functions. If any weaknesses exist in these access layers, then risks will arise to the business. In order to be in control of these risks, it is necessary to assess the security measures by by testing their effectiveness.
Within our methodology we use various tooling and phases, such as reconnessaince, threat assessment, vulnerability assessment and vulnerability scanning.
We record the outcomes of the security test in a clear report with a concise management summary, an extensive risk analysis for each outcome and recommendations on a strategic, tactical and operational level.
Crystal, grey or black box security test
The information upfront and the depth of testing are related. The information upfront is often described in terms of ‘black box’ testing, ‘grey box’ testing or ‘white/crystal box testing’. These terms relate to the amount of information available to us beforehand.
Crystal box test
Our consultants have prior access to all relevant information, such as internal source codes, configuration files and (design) documentation. This test is also known as a white box test. The major advantage of this in-depth assessment method is the ability to assess how problems have been solved. Was a structural solution chosen, or has use been made of ad hoc 'fire fighting', has the software been solidly designed and well documented? These matters of quality determine to a substantial degree the level of your future digital security.
Black box test
Our consultants receive little to no information in advance. A black box test is comparable to an attack by digital intruders (within the time available). We use this to verify what can be done without credentials. For example, is it possible to bypass the login procedure?
Grey box test
The grey box is an intermediate form, in which our consultants have credentials and possibly user documentation available. We use this test to assess how a registered user could abuse the IT environment. Is it possible to assume the identity of another user or the application administrator? Is it possible to gain unauthorised access to data? Is it possible to take control of a session or to guess session IDs?
Out of all the things we do, a penetration test (or pentest) most appeals to the imagination. Secura's consultants use the available time to look for a weak spot in your security and subsequently attempt to exploit it, for example to penetrate further into a LAN- or extranet environment. A Secura penetration test resembles a black box test, but is notably different.