More than security testing
Security testing at very end of the project, just before (or after) deployment are still key component of achieving application security. Neverthless, doing only security tests as a part of UAT is not effective, because significant costs of fixing bugs at late project stages. That’s why besides security testing, we offer support at each stage of development:
- Security requirements definition (functional and non-functional)
- Project reviews
- Code reviews
- Security tests
The goal is to fix vulnerabilities.
- Our report always includes recommendations on how to fix discovered vulnerabilities.
- We offer support during fixing phase.
- We communicate with the tested solution vendor to help them understand problem and provide remediation.
- We offer additional tests after vulnerabilities are fixed.
The main aspect of security assessment is to take real risk impact into account.
- Prior to testing, we perform threat identification and threat modeling.
- We prioritize attack scenarios.
- We take into consideration business impact as well as business logic.
We say no to fire and forget tools.
- Automatic tools can only find small percentage of real vulnerabilities.
- The real threat is live attacker, not automatic tool.
- We prefer manual verification, using specialized “home-grown” tools.
- Understandable, customer-oriented report.
- Realistic and dedicated recommendations.