What’s Penetration testing
Penetration testing serves as a pro-active measure to try identify vulnerabilities in services and organizations before other attackers can.
Penetration testers are security professionals skilled in the art of ethical hacking, which is the use of hacking tools and techniques to fix security weaknesses rather than cause harm.
Our Penetration Testing Services
Mobile Application Penetration Testing
Secure Android and iOS mobile applications with superior mobile app testing.
Web Application Penetration Testing
Our expert penetration testers will analyse all aspects of your web app to help you stamp out security weaknesses.
Penetration Testing - Across Industries
40% Bank & Finance
13% Manufacturing
3% Heath
18% Government
19% Software
7% Others
Qualification
Certification
- Offensive Security Certified Professional (OSCP) Certification
- GIAC Penetration Tester (GPEN) Certification
- Certified Ethical Hacker (CEH) Certification
Research
- CVE-2008-3008 / MS086-053 flaw
- Disclosed security risks in libraries of VBB, Joomla, WordPress
- Disclosed security risks in IoT devices such as automatic door, security camera, network printer.
Engineers (50+)
- 15 Security Researcher, 6-12 years of experience in malware and vulnerability research
- 20+ Security Researcher, 3-10 years of experience in penetration testing
- 10+ Software Engineer
05 Data Engineer
Experience (5 years +)
- Experience working with various industries for many years, with more than 100 projects
Our Penetration Testing Types
White Box
Customer must provide full information about the system, accounts at different access levels for the testing expert to exploit effectively and to be able to cover all the features of the system.
Advantages
- in-depth code-level analysis to identify potential vulnerabilities
- significantly improve software quality
Applicable scenarios
- Throughout all phases of software development, particularly when conducting in-depth code analysis and verification.
- Commonly used to detect security vulnerabilities and logical flaws in code, ensuring robust system security
Black Box
The organization does not need to provide the architectures, application version, platform system, login account to bring the most objective results.
Advantages
- Thoroughly validate software functionalities, and identify potential vulnerabilities
Applicable scenarios
- Quality verification before software release
White Box - Phases
01
Information Gathering
Understand the testing scope
- Number of features, components required to test.
Gathering the application information - User journeys, use cases
- Application specification
- Technical specifications, pseudocode
02
Prepare for the penetration test
- Identify all possible paths from the flowgraph
- Write Test Cases to cover every single path on the flowgraph
03
Penetration Testing
- Review Source Code and Architecture
- Execute Test Cases and Identify Vulnerabilities
- Manual Code Review
- Test Input Validation and Output Encoding
- Simulate Exploitation Scenarios
- Analyze Threats and Impacts When Vulnerabilities Are Exploited
04
Reporting
- Send daily quick report for high risk vulnerability detected
- Write summary and technical report
- Deliver the final report
05
Re-testing
- Re-testing the vulnerabilities after remediating programs
Black Box - Phases
01
Information Gathering
Understand the testing scope
- clarify the specific objectives of the pen testing
- Based on the planning and scope, we should identify the key areas of focus for the testing
Gathering the application information
eg. Number of HTTP Requests in Web App or API
Number of Screens in Android or iOS Application
02
Prepare for the penetration test
- Define communication way for sharing information
- Kick-off meeting
- Scheduling the penetration testing
03
Penetration Testing
- Reconnaissance and Enumeration
- Scan and Identify Vulnerabilities
- Simulate Attacks on Discovered Vulnerabilities
- Analyze Threats and Impacts When Vulnerabilities Are Exploited
04
Reporting
- Send daily quick report for high risk vulnerability detected
- Write summary and technical report
- Deliver the final report
05
Re-testing
- Re-testing the vulnerabilities after remediating programs
Our Survey
Web Application Information
Site name, host, system, cloud services, penetration testing type (remote, onsite), period time, environment testing
Access Restriction
Restricting access by IP address, basic authentication, need some special configure access settings
Account Information
Multiple permission setting, multiple accounts (username and password)
Various Process
Assessment of functions associated to various processes and external systems
Consider
Some information should be confirmed before testing
Web App Standard & Methodology
OWASP Standard v4
The OWASP Application Security Verification Standard is an open application security standard that provides a framework for assessing the security of web applications and services.
Penetration Testing Execution Standard
The Penetration Testing Execution Standard (PTES) is the most recent penetration testing methodology. It developed by information security experts from various industries.
Mobile App Standard & Methodology
Estimation /Decompile
Decompile the application for the examination of vulnerabilities into the application code
DAST
Dynamic Application Security Testing (DAST) is a solution used to analyze applications at runtime to identify security vulnerabilities and misconfigurations.
Reporting & Remediation
The tester prepares a report documenting the findings including vulnerabilities, risk, remediation advice, etc.
Planning
Defining the scope of the penetration test. Identify the target platforms, specific app components, and the testing methodologies to be used.
SAST
Static Application Security Testing (SAST) performs on the source code level. It examines source code to find and monitor flaws.
API &
Network Testing
Find and exploit vulnerabilities on API system
OWASP Standard
The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to mobile app security. It has defined many different app security standards that form the backbone of mobile app security testing today.
Automation Testing Tools
MOBSF
Mobile Security Framework (MobSF) is an automated, all in one mobile application (Android/iOS/Windows) pentesting, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Burpsuite Pro
Perform manual and semi-automated penetration tests of web applications. There are so many functions such as HTTP Proxy (for intercepting HTTP Request), Scanner, Spider (for crawling data), Repeater (for creating HTTP request to server and getting response)
Nessus
Nessus is the de-facto industry standard vulnerability assessment solution for security practitioners.
Self-developed NVA & WVA
Perform advanced Vulnerability Assessment for website and network systems. Developed by our partner and suitable for penetration testing projects.
Acunetix
Perform automated penetration tests of web application. The tool has a lot scripts which can be customized by tester for adapting with OWASP standard.
JEB Decompiler
Decompile and debug binary code. Break down and analyze document files. Dalvik, MIPS, ARM, Intel, WebAssembly & Ethereum Decompilers.
Testing Technique Scope
Assessment
- PTES Methodology
- OWASP Standard v4 (Manually)
- INNOX Checklist for Mobile Application Pentesting (Manual)
- INNOX Checklist for Web Application Penatesting (Manuel)
- Severity of vulnerability based on CVSS v3
- Scan by Burpuite / Acunetix with specify configuation (Automatic)
Known Vulnerability (Public CVE / Exploit)
- Framework of Application
- Libraries using in Application
- Services running on Server
- Bypass WAF
Reconnaissance
- TLD Domain, Sub-domain, DNS History
- Wayback URL
- Cloud Storage miss configuration
- Sensitive information on Search Engine
- Ports & Services running on Server
- Enumerate
- Framework, Programming
- WAF Detection (Real IP behind WAF)
- Architecture
