The goal of security testing is to identify application’s vulnerabilities to potential attacks and to find any gaps that can be abused by intruders. We provide both penetration tests – controlled attempts to break the security controls of a given application – as well as source code reviews which extends security tests and allows more thorough verification of hypotheses and assumptions.

collapse

If only access to source code is possible, then we propose wider scope of applications security assessment, by providing analysis of source code’s key elements. It lest us to perform a much more precise verification of application security and better use of time spended for security assessment.

collapse

Mobile applications security testing needs different approach than web or desktop applications. We have broad experience in security testing of different types of mobile applications, i.e.: mobile banking, mobile payments, loyalty programs, e-commerce. Our knowledge and tools allows us to assess security of all modern platforms (i.e. iOS, Android, Windows Phone, Blackberry).

collapse

Vulnerabilities are a result of applications’ defects as we as defects in server-network evironment. To identify and eliminate such drawbacks, we propose infrastructure penetration testing which can be extended by configuration review.

collapse

Internal penetration test imitates a malicious user who gained access to company’s internal infrastructure by means of installing malware on a user’s workstation. In that case our team tries to find and access crucial resources and exploit vulnerabilities found in the internal network to access them. All of the above is performed in close cooperation with internal staff in order to minimize the impact of our actions and maximize the output of the test.

collapse

Training: Security testing for software testers and QA engineers

 

Description

 

This training is dedicated to software testers and quality assurance engineers which would like to expand their knowledge in application security testing field and use it on daily basis during work hours.

 

It consists mainly from live exercises based on authors experience and real vulnerabilities which were found during penetration testing of various web and mobile applications. We will discuss security testing tools available on the market, their procs and cons and ways in which each tool can help in finding vulnerabilities. Attendees will learn about existing standards related to the specification of software requirements and software security verification.

 

Topics

 

Introduction

• current trends in security of web and mobile applications
• how/when/why we should test security of our applications?
• the reality of software security assessment

 

Security in requirements

• functional
• non functional

 

Threat modeling

• basic concepts
• possible approaches
• web and mobile application risks

 

Standards, documents – short review

• OWASP ASVS 2014
• OWASP TOP 10 2014
• OWASP TOP 10 Mobile Risks
• OWASP Tesing Guide

 

Tools

• Firebug, Web Developer
• Fiddler/Burp
• OWASP ZAP
• OWASP DirBuster

 

Testing

• attacker based approach
• test case creation
• security testing automation
• reporting

 

Web

• HTTP and SSL basics
• common vulnerabilities
• testing techniques

 

Mobile

• device and server API
• security mechanisms of mobile operating systems
• checklist for mobile application assessment

collapse