PENETRATION

TESTING

Purpose

  • Test the intrusion of the server/application system from the perspective of an external or internal attacker and the degree of intrusion into the system when access is obtained.
  • Identify all vulnerabilities on the system/application according to the specified scope and assess the level of risk and impact at the time of the attack.
  • Provide solutions to overcome and minimize the risk of exploitation for identified gaps and weaknesses.

Test list

  • Network testing: Identify and exploit security vulnerabilities to assess the impact on the network environment.
  • Server system testing: Identify and exploit security vulnerabilities to assess their impact on servers.
  • Web Application Testing: Identify and exploit security vulnerabilities to assess their impact on Web applications.
  • Mobile App Testing: Identify and exploit security vulnerabilities to assess their impact on mobile applications.
  •  ATM system testing: Identify and exploit security vulnerabilities to assess the impact on the ATM system and related components.

Scope of Services

According to the number of specific objects to be evaluated (according to the above test list)

Implementation methods

  • White-Box testing: Refer to the category “Application source code security assessment.”
  • Grey-Box testing: The evaluator is provided with part of the information related to the evaluated object (account with privileges like regular users, etc.).
  • Black-Box Testing: Reviewers must not provide information about the evaluated object acting as an external attacker.
  • In addition to finding and exploiting vulnerabilities that have been announced worldwide, vulnerabilities programmed by customer personnel, NCS also searches for and exploits 0-day vulnerabilities that exist in 3rd party components (libraries, extensions, frameworks,…) that have not been announced worldwide.

Outcomes

The results report includes the following contents:

  • Overview of purpose and scope of implementation
  • Summary of approach, method of implementation
  • Summarize the results of found vulnerabilities, danger levels
  • For each vulnerability: level of danger (critical, high, medium, low) /CVSS score, detailed description of the vulnerability, reference link, location/parameter with gaps in the system, analysis of exploitable capabilities from inside/outside the internet, proof of exploitation of errors (PoC), steps to reproduce the exploitation of errors…
  • Remedies for each gap:
    • Detailed troubleshooting instructions: according to each vulnerability listed corresponding to the list of systems in scope, instructions on repairing application code to fix, instructions on configuring the system to fix, download links of vulnerability patches, etc.
    • Provide a risk mitigation plan or a temporary treatment plan for vulnerabilities that cannot be completely remedied.

Human resources for project implementation

  • Each assessed subject needs to ensure at least two senior-level personnel perform, and the total effort needs to be from 6-10 manday/2 personnel.

Other Services