Our consultants are CREST certified Security Testing professionals, who follow a formal process when conducting penetration tests of applications or infrastructure, to identify and remove vulnerabilities from systems before they can be exploited and lead to data breaches.
A clear scope and boundaries are important to establish before commencing work of this nature. Our team use structured questionnaires to define scope, which allow production of clear statements of work, to ensure a common understanding and agreement on work to be carried out. On completion, reports are issued to customers securely, to maintain confidentiality and avoid vulnerability details leaking outside the project team.
We offer several types of penetration testing for our customers, each with a slightly different focus. These different types are not mutually exclusive and are often combined, to provide our customers with the maximum confidence in the security of their applications.
Network / Infrastructure
Given the tremendous financial cost of network breaches, it is in every organisation's best interests to be confident about the security of its infrastructure.
Whether you're on-premise, in the Cloud or using a hybrid model, our specialists can thoroughly test your infrastructure, targeting externally facing servers and network devices, to identify points of weakness and vulnerabilities. Our team follow an established, industry standard methodology which aims to identify exploitable issues, so that they can be fixed before any damage is caused.
Web Applications
While a strong approach to network penetration testing serves as a great foundation for making security a priority within your organisation, there are numerous malicious tools that specifically target web applications.
During development, it's often the case that inadequate provision is made for security when writing code, or taking the application to go live. Tight deadlines and DevOps methodologies mean that speed is the understandable priority. Our web application penetration tests help you make up lost ground by testing for application level vulnerabilities. To do this, we test your website(s) against the OWASP Top Ten, which categorises the most severe security risks to web applications:
- Injection Flaws
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfigurations
- Cross Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
If you are interested in learning more about our penetration testing approach, get in touch with your requirements via our short contact form:
Mobile Applications
If your mobile app handles sensitive customer information or involves security-based functionality - anything from online banking to social networking - then a mobile penetration test is worth considering.
With mobile usage skyrocketing on both iOS and Android, consumers expect a seamless and secure user experience. That's why our consultants use real-world devices to simulate an attempted hack, checking for faulty authentication, poor coding, unknown functionalities accidentally carried over to the production environment and insecure storage of data.
Following a mobile app penetration test, which often involves SAST and DAST carried out in combination, you would be provided with full reporting and recommendations on how to rectify the detected vulnerabilities. Following this step, our consultants then re-test the app to ensure that no stone is left unturned.
APIs
Nowadays, APIs are everywhere. Every time information is transferred from device to device, APIs are at work, allowing your applications to communicate with larger systems and databases.
Perhaps because of this ubiquity, attacking unprotected APIs is one of the most common forms of security threat to web and mobile applications. All too often, security concerns are passed over when it comes to APIs, as the applications themselves take centre stage. However, at Prolifics Testing, our security consultants are trained in how to test and interpret results for REST and SOAP APIs, taking a tailored approach to your unique setup.
Without an API penetration test, you leave your company exposed to threats such as SQL injections and DDoS attacks, potentially jeopardising your company reputation and harming your financial prospects.
Our approach
Our methodology can be summarised in six stages:
- Planning and identification
- Scanning
- Gaining access
- Maintaining access
- Analysis
- Reporting
Results of our penetration tests focus on:
- Specific vulnerabilities that were exploited
- Sensitive data that was accessed
- The amount of time the tester was able to remain in the system undetected