Penetration Testing Services (VAPT)

The type of pen test depends on the objective you are trying to achieve. Test scenarios may include testing for unauthorized attackers gaining access and maintaining access to your network, or malicious insiders stealing information they should not have access to.

• Black-box testing simulates an unauthorized attacker with no user credentials i.e. testing without logging into the system. With this approach, system functions requiring authenticated access will not be tested.
• Grey-box testing simulates an authorized but malicious attacker with user credentials i.e. testing by logging into the system. With this approach, system functions requiring authenticated access will be tested.
• White-box testing simulates a malicious attacker with access to the application’s source code. The approach will be a combination of VAPT and secure code review methodologies.

It is important to use the appropriate approach based on the risks identified by your security team and risk management framework.

Also known as ethical hacking, VAPT can be conducted on your internet-facing assets or your internal network. Depending on network accessibility, ethical hackers may need to be deployed onsite during the testing.

Internal testing simulates a malicious insider attack and is conducted from within the customer internal network and from a segment where the targets are accessible.

External testing simulates a malicious outsider attack and is conducted from the public internet without modification of customer’s perimeter defence.

Network penetration testing helps customers identify vulnerable services running on your network infrastructure and is primarily concerned with vulnerabilities at the operating system layer and common software (e.g. NIST CPE) of the target hosts and devices. Regular network penetration testing helps identify security weaknesses that can be exploited in a real world attack.

To be clear, test is focused on detecting security vulnerabilities and is not a Red Team assessment on the organization’s real-time readiness against cyber attacks. and excludes social engineering tests on your employees.

Application testing is focused on mobile and web application security and functionalities of the application (including web API servers for mobile apps) and is primarily concerned with application layer vulnerabilities, especially the OWASP Top Ten Web Application Security Risks and OWASP Mobile Top 10, including cross-site scripting, SQL injection and other security issues. Our team of security experts will also find flaws in the business logic and look for ways to bypass authorization controls in the mobile and web app.

Besides identifying exploitable vulnerabilities, the team assesses the mobile and web applications and evaluates the information security controls implemented for protecting data and securing transactions.

We adopt the following guidelines for our penetration testing methodology:

• Penetration Testing Execution Standard
• OWASP Web Security Testing Guide
• OWASP Mobile Security Testing Guide

Specific automated tools and manual network and application security testing procedures are executed based on the nature of the testing and environment.

We provide a comprehensive and high quality report without false positives. You can expect our VAPT reports to include detailed vulnerability analysis and actionable remediation recommendations.

• Executive summary: Overview of the engagement
• Engagement scope: Scope of work defined for the engagement
• Summary list of findings: List of observations rated by priority
• Significant risk areas (if any): Other significant or systemic risk as a result of a combination of issues identified
• Conclusion: Final observation
• Detailed findings: Provide issue description, risk impact, priority rating, technical reference and recommended security measures.

During the penetration test, we will also highlight any critical vulnerabilities to the customer so that they can take immediate actions to fix the detected issue.

Our security professionals use both commercial and open source vulnerability assessment tools including Tenable Nessus Pro, Burp Suite Pro, Kali Linux, Metasploit, etc.

Do note that while the use of pen testing tools is an important part of the approach, our security consultants will perform manual testing techniques when providing our VAPT services. Security tools support the work of the testing team but does not replace the process.