Security Testing Methodology

Internal & External Network

  • Information gathering (external sources, social media)
  • Network mapping (DNS, Ripe, segmentation)
  • Vulnerability identification (automated and manual)
  • Social engineering (if part of scope)
  • Exploitation (gaining access)
  • Post exploitation (gather data and further access)
  • Privilege escalation (system and network)
  • Covering tracks (avoid detection)
  • Findings, recommendations and reporting

Network Devices Configuration Review

  • Identify security issues caused by misconfiguration
  • Identify security issues caused by missing settings
  • Review polices and rules
  • Review of password policy and the storage method
  • Identify allowed services
  • Analyze processing capabilities
  • Detect network mapping and service
  • Detect vulnerability
  • Analyze vulnerability
  • Findings, recommendations and reporting

Wireless Network

  • Deep analysis of the Wireless device
  • Penetration testing of WLAN and associated services
  • Bypass WLAN Authentication
  • Attack the wireless Clients.
  • Findings, recommendations and reporting

Web Application

  • OWASP Top 10
  • Information gathering
  • Security configuration testing
  • Authentication testing
  • Session management testing
  • Authorization testing
  • Access control
  • Business logic testing
  • Data validation testing
  • Injection testing (SQLi, XSS, etc)
  • Denial of Service testing
  • Web Services & API testing
  • Findings, recommendations and reporting

Mobile Application

  • OWASP Top 10
  • Improper platform usage
  • Insecure data storage
  • Insecure communication
  • Insecure authentication
  • Insufficient cryptography
  • Insecure authorization
  • Client code quality
  • Reverse engineering and de-compiling
  • Findings, recommendations and reporting

Applications Source Code Review

  • Authentication
  • Session Management
  • Authorization
  • OWASP Top 10 (injections in user manipulated variables, XSS, CSRF, etc.)
  • Insecure Direct Object Reference
  • Sensitive data exposure
  • Missing Function Level Access Control
  • Using Components With Know Vulnerabilities
  • Review dangerous functions usage
  • Encryption methods
  • SSL/TLS configuration and usage
  • Business logic (potentially bypass critical steps)
  • Identify denial-of-service points in weak functions
  • Client-side vs server-side validation
  • Findings, recommendations and reporting

Security Testing Guidelines

Internal and External Network

Wireless Network

Web/Mobile Application

Source Code Review

Configuration Review

ISSAF

Information System Security Assessment Framework

PTES

Penetration Testing Execution Standards

OSSTMM

Open-Source Security Testing Methodology Manual

OWASP

Open Web Application Security Project

PCI-DSS

Payment Card Industry Data Security Standard
STIG NIST CIS

Security Assessment Methodology

Info Gathering

Input Questionnaire 

Automated Testing

Mapping, Scanning & Discovery

Vulnerability Assessment

Manual Testing

Vulnerability Identification

Penetration Testing

Exploitations

Deliverables

Vulnerabilities Categorization 

Mitigation Recommendations

Team Certification

Check how we can help you

Contact Us

Cyberteq is an innovative Information and Communication Technology Consulting Company. In the era of digitalization, Cyberteq enables its customers to take full advantage of the latest digital technologies and networks in a secure manner.

Info

Follow Us

Contact

© Copyright 2021 | Cyberteq - To Transform and Secure Business through Innovation