Vulnerability Assessment / Penetration Testing (VAPT)
Vulnerability assessment and penetration testing are methods for identifying security flaws in your website, (mobile) application, or infrastructure. With businesses becoming heavily reliant on data, data security is critical, if not mandatory. Authorized users gain access to data via applications that include business logic and security functions. If there are any flaws in these access layers, the business will be adversely affected. To maintain control, security measures must be evaluated by testing their effectiveness.
Our ethical hackers will assess the effectiveness of the implemented security measures, identify vulnerabilities, and provide clear recommendations to improve in an extensive report that includes a clear and precise management summary, an extensive risk evaluation for each outcome, and suggestions on a strategic, tactical, and operational level.
VAPT Service Includes:
- Cloud Infrastructure
- Internal Network
- Mobile Application
- Web Application
- External Network
- Code Review
- Black Box
- Gray Box
- White Box
- Periodical tests
Phase 1: Information Gathering
- Gather Information of target systems in scope
- Validate login details required for assessment
- Collect information on systems
Phase 2: Analysis
- Assess which vulnerabilities can be identified through investigation
- Use tools and scripts to exploit identified vulnerabilities
- Security specialists manually check for ‘false positives’ in raw data and potential vulnerabilities
Phase 3: Reporting
- Writing and reviewing the report
- Present, discuss and review findings together with the client
Phase 4: Retest
- Retest to validate reported vulnerabilities are patched
- Application Security Validation Standard (ASVS) for (web) applications;
- Relevant OWASP publications such as the Top 10 and the ASVS, supported by the OWASP Application Security Testing Guide;
- SANS-top 25: the most common and most dangerous errors when making software;
- CIS-baselines for infrastructure and configuration assessments;
- Relevant NIST guidelines on e.g. password and key management;
- NCSC ICT security guidelines for web applications and the ICT security guidelines for Transport Layer Security (TLS);
- Baseline Information Security Government (BIO);
- The OWASP Testing Guide versions 3 and 4 with the OWASP Web Service Security Cheat Sheet, where relevant;
- M-ASVS for mobile applications (Mobile ASVS);
- Logius standards for DigiD assessments;
- STRIDE methodology in Threat Modeling;
- OWASP Mobile Top 10;
- Up-to-date information from (software) suppliers such as Google, Apple, Amazon, Microsoft, etcetera.
Cloud Security Assessment
We assess existing cloud security controls and measures for safeguarding targeted attacks of cloud-based assets on Microsoft Office 365, Microsoft Azure, Amazon Web Services, and Google Cloud Platform. After the cloud security assessment, we prioritize the findings, highlighting process and control flaws, threats, and the possible risks. We use this data to create a tailored solution for minimizing cyber risk and increasing cyber resilience in your cloud ecosystem.
- Identify the cloud services your organization relies on to deliver services.
- Analyze preventive and detective controls that secure your cloud ecosystem.
- Develop the cyber risk posture of your organization’s cloud services.
- Develop prioritized recommendations and a roadmap for risk reduction.
- Determine the levels of cyber risk, potential loss, disruption, or exposure of your cloud-based assets.
- Create a workbook and plan of action for managing ongoing cloud cyber risk.