More than security testing
Security testing at very end of the project, just before (or after) deployment are still key component of achieving application security. Neverthless, doing only security tests as a part of UAT is not effective, because significant costs of fixing bugs at late project stages. That’s why besides security testing, we offer support at each stage of development:
- Security requirements definition (functional and non-functional)
- Project reviews
- Code reviews
- Security tests
The goal is to fix vulnerabilities.
- Our reports always include recommendations on how to fix discovered vulnerabilities.
- We offer support during remediation stage and verification tests after the patches are available.
- we contact the vendor of the tested solution to help them understand the problems and provide effective remediation.
The main aspect of the security assessment is to take real risk impact into account.
- Prior to testing, we perform threat identification or threat modeling.
- We prioritise attack scenarios.
- We take into consideration business context and we also are testing business logic.
We say no to fire and forget tools.
- Automatic tools can only find small percentage of real vulnerabilities.
- The real threat is live attacker, not automatic tool.
- We prefer manual verification, using specialized “home-grown” tools.
- Understandable, customer-oriented report.
- Realistic and dedicated recommendations.