With our team of 150+ Security Consultants located within our North American office, Prescient Security ethical hacking team conducts manual testing in conjunction with using a host of commercial, open source and internally developed tools to identify known and unknown vulnerabilities.

WEB APPLICATION TESTING | MOBILE TESTING | CLOUD TESTING | NETWORK TESTING | CODE ANALYSIS | RED TEAMING | BLUE TEAMING | IOT TESTING | CREST TESTING | WIRELESS TESTING | PCI ASV TESTING


WEB APPLICATION TESTING

Our Web Application Penetration Services
Application Security Assessment (ASA) services provide a customized, extensive, impartial and periodic security analysis of internally developed or commercial enterprise applications. This service evaluates current “standards” and levels of compliance to give organizations a well-developed matrix of existing threats, application vulnerabilities and recommendations of real world solutions to address specific weaknesses.

Our consultants utilize a combination of automated and manual techniques to uncover vulnerabilities in clients’ systems and infrastructures. Both proprietary and commercial assessment tools are leveraged to best identify these vulnerabilities. To ensure the accuracy and quality of results, consultants perform false positive validation on each and every finding and all testing beyond URL scanning is performed manually.

We utilize a custom ASA methodology, developed through our extensive experience conducting ASAs and dynamic code reviews over the last fourteen years. Our ASA Methodology is based on the Open Web Application Security Project (OWASP) testing guide, NIST 800-115 and the Open Source Security Testing Methodology Manual (OSSTMM) Web Application Methodology. Our testing includes all testing requirements set out by the Payment Card Industry Data Security Standard (PCI DSS).

We perform ASA testing against both client and server applications including:

  • Web Applications
  • Mobile Applications
  • Thick Client Applications
  • Web Services
  • Application Programming Interfaces (APIs)
  • We maintain a library of proprietary tests and custom-developed tools to check for vulnerabilities that automated means cannot identify. Additionally, we use Burp Suite Pro Web application vulnerability scanner.

We deliver our ASA services in three (3) service levels, based on client requirements and objectives:

  • Application Penetration Assessments – Includes application scanning followed by intensive manual testing to identify application vulnerabilities. Application penetration assessments are typically performed on high risk applications, new applications or after major changes to an application. Reporting is fully customized and includes both positive and negative findings.
  • Application Vulnerability Assessments – Includes application level scanning and manual testing to identify application level vulnerabilities. Application vulnerability assessments are typically performed annually on stable applications, after minor changes to an application or to test a specific application module. Reporting is customized and only includes negative finings.
  • Mobile Application Security Assessments – Includes full interrogation of a mobile application and its associated services (Web Services & APIs) along with the server hosting those services. Mobile application security assessments are performed on release candidate versions or on productions versions of mobile applications. This includes iOS mobile applications and those found on the Android platform.
  • We believe in a proactive approach to security and a continuous assessment process and works with our clients to be an integral part of their Secure Software Lifecycle Development (SSDLC) process. However, each ASA offering can also be delivered as a one-time standalone assessment.Methodology:

 

 

MOBILE TESTING

Application Security Assessment (ASA) services provide a customized, extensive, impartial and periodic security analysis of internally developed or commercial enterprise applications. This service evaluates current “standards” and levels of compliance to give organizations a well-developed matrix of existing threats, application vulnerabilities and recommendations of real world solutions to address specific weaknesses.

Our consultants utilize a combination of automated and manual techniques to uncover vulnerabilities in clients’ systems and infrastructures. Both proprietary and commercial assessment tools are leveraged to best identify these vulnerabilities. To ensure the accuracy and quality of results, consultants perform false positive validation on each and every finding and all testing beyond URL scanning is performed manually.

We utilize a custom ASA methodology, developed through our extensive experience conducting ASAs and dynamic code reviews over the last fourteen years. Our ASA Methodology is based on the Open Web Application Security Project (OWASP) testing guide, NIST 800-115 and the Open Source Security Testing Methodology Manual (OSSTMM) Web Application Methodology. Our testing includes all testing requirements set out by the Payment Card Industry Data Security Standard (PCI DSS).

We perform ASA testing against both client and server applications including:

  • Web Applications
  • Mobile Applications
  • Thick Client Applications
  • Web Services
  • Application Programming Interfaces (APIs)

We maintain a library of proprietary tests and custom-developed tools to check for vulnerabilities that automated means cannot identify. Additionally, we use Burp Suite Pro Web application vulnerability scanner.

We deliver our ASA services in three (3) service levels, based on client requirements and objectives:

  • Application Penetration Assessments – Includes application scanning followed by intensive manual testing to identify application vulnerabilities. Application penetration assessments are typically performed on high risk applications, new applications or after major changes to an application. Reporting is fully customized and includes both positive and negative findings.
  • Application Vulnerability Assessments – Includes application level scanning and manual testing to identify application level vulnerabilities. Application vulnerability assessments are typically performed annually on stable applications, after minor changes to an application or to test a specific application module. Reporting is customized and only includes negative finings.
  • Mobile Application Security Assessments – Includes full interrogation of a mobile application and its associated services (Web Services & APIs) along with the server hosting those services. Mobile application security assessments are performed on release candidate versions or on productions versions of mobile applications. This includes iOS mobile applications and those found on the Android platform.

We believe in a proactive approach to security and a continuous assessment process and works with our clients to be an integral part of their Secure Software Lifecycle Development (SSDLC) process. However, each ASA offering can also be delivered as a one-time standalone assessment. Methodology:

 

CLOUD TESTING

  • We can perform both internal and external assessments of cloud-hosted applications.
  • We conduct full black box external penetration tests, insider threat assessments, and overall security architecture reviews of cloud security measures in AWS and Azure.
  • We examine access controls, user provisioning, API keys, and management dashboards – along with a host of other services.
 

NETWORK TESTING

The goal of penetration testing is to simulate a hostile attack in order to discover vulnerabilities.  The EnableIT ethical hacking team will conduct manual testing in conjunction with using a host of commercial, open source and internally developed tools to identify known and unknown vulnerabilities. The following criteria will be applied to all penetration tests.

Summary of Testing (non-exhaustive):

  • Cross Site Scripting (XSS) Flaws
  • Injection Flaws
  • Malicious File Execution
  • Insecure Direct Object Reference
  • Cross Site Request Forgery (CSRF)
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Insecure Cryptography Storage
  • Insecure Communications
  • Failure to Restrict URL Access
  • Invalidated or Un-Sanitized Input
  • Insecure Configuration Management
  • Network Segmentation Testing
  • Infrastructure Testing
 

CODE ANALYSIS

EnableIT provides static and source code analysis using commercial and open source tools. Our SCA offering identifies vulnerabilities present in source code that dynamic code analysis might miss.  Source code is scanned for common issues like input validation, buffer overflows, memory allocation functions and other issues that can lead to exploitable vulnerabilities within the application.  Especially when combined with dynamic testing (penetration testing), SCA provides a deeper level of security testing.

Methodology:

Source Code Analysis follows the basic process steps below:

  • Setup – includes loading code into an appropriate IDE and building the application
  • Automated code analysis using commercial and open source tools
  • Manual verification of findings
  • Manual analysis – includes numerous checks for things like encryption, authentication controls, unvalidated input, use of session controls, error handling, and many others
 

RED TEAMING

Prescient Security Red Teaming is designed to give our client a realistic view into the potential attack vectors and threats from a holistic perspective rather than the narrow scope of most penetration testing. Our advanced penetration testing team focuses on the following areas:

  • Real world attacks and Advanced Persistent Threat type methodologies
  • Onsite and social engineering attacks
 

BLUE TEAMING

Prescient Security Blue Teaming is designed to detect and defeat ongoing attacks. Our advanced penetration testing team focuses on the following areas

  • Evaluate SOC capability to detect and respond to the Red Team’s activities
  • Review of security tools / architecture for gaps in detection capability
 

IOT TESTING

As more and more devices are equipped with network connections, few are being built with security in mind. Our IOT secure testing services bring our hardware and security experts together to test the full spectrum of attack surface. As few IOT devices support end point security measures, our security experts can also offer consulting help on securing IOT deployments via network-based security solutions.

 

CREST TESTING

Prescient Security is one of 15 consulting companies that are CREST approved for penetration testing in the Americas Region

 

WIRELESS TESTING

Wireless testing is designed to provide a real world view into the security and risks of using wireless network communications. Internal and External networks are assessed, along with the segmentation between the various wireless networks and internal wired networks.

EnableIT conducts Wireless Penetration Tests using NIST SP 800-97 and 800-48 as guides. The goal of the assessment is to determine to overall security of the wireless implementation and emulate the types of attacks used by real world threats. Wireless tests include the following modules:

  • Review of wireless architecture
  • Sniffing wireless traffic
  • Network Mapping
  • Identification of legitimate and rogue access points
  • “Evil AP” attacks
  • Encryption cracking attacks
 

PCI ASV TESTING

We are one of select few PCI approved Scanning Vendors (ASV) and can help secure  your card holder data infrastructure.