Penetration Testing & Vulnerability assessment

Why Choose us as your Penetration Testing Consultant

With the dawn of GDPR rules, every business needs to hire a comprehensive penetration testing consultant, ethical hacker or use a security assessment service at least once a year. 

Talk to us because...

  • We use the best penetration testing tools: Our approach goes beyond the use of automated tools and processes to include deep knowledge of how compromises can occur in government, financial and commercial organizations.

  • We run a time-efficient penetration process: We ensure all assessments are effectively executed within limited engagement windows by prioritizing the testing of critical devices and components and its respective potential vulnerabilities and ensuring we abide by the rule of engagement.

  • We deliver results of the penetration assessment: Our assessments provide you with valuable and actionable insights into discovered vulnerabilities, potential attack paths, business impact of breaches, and remediation steps.

  • We Help you address the security issues: Experienced, skilled tests develop our comprehensive reports, so you can easily understand the actionable information contained within them.

  • We are skilled and up-to-date: Our team members undergo extensive training, participate as industry thought leaders, participate in hackathons and CTFs, and have earned industry certifications, including LPT, GCIH, GWAPT, CREST CRT, MCSE, RHCT, OSWP, OSCP, OSCE, CEH, eWPTX, PMP, and CISSP.

Request a Quote

And get a basic security evaluation report FREE

arrow&v
SCOPE
Penetration Testing and Ethical Hacking Services

Do the below keywords ring a bell?  

  • Disrupted elections  

  • State-sponsored attacks  

  • Ransomware  

  • International bank heists    

 

Most likely they do, as most of us have read about these in the past few months with the intensity and  sophistication of cyber crimes on the rise. Here are some statistical data to help us understand the depth  of what is at stake and how big a problem it is. 

Regulatory authorities expect all companies small and big to do more to protect their systems and data,  and now penalise them if there is evidence that enough steps were not taken by an organisation to  prevent a hack which caused a data leak.    

 

We at sapna security understand that  

  • Security can be daunting for both small and big companies  

  • Organisations may not know what they are expected to do  

  • Huge costs may keep them from conducting security audits    

 

Accordingly sapna security attempts to offer security assistance at reasonable price to match your needs.    

 

For application ethical hack we have a team which has experience over several years in web  programming, database, network architecture, server hosting, security audits, and security testing. We  use both automated and manual ethical penetration testing methods to give you the best results. Our  Assessment approach, our findings will ensure you get a detailed idea of the issues. We will be available  for help and discussions at each step. Our work does not stop only at report generation on findings, but  we will offer 1 free retest of P1, P2, or P3 issues if completed within the recommended date as detailed  in “Vulnerability threat category”  

1. Our Cyber Security Assessment Approach 

The web application ethical hack includes the following areas:    

  • Injection  

  • Authentication  

  • Session Management  

  • Cross Site Scripting (XSS)  

  • Insecure Direct Object References  

  • Sensitive Data Exposure  

  • Access control  

  • Cross-Site Request Forgery (CSRF)  

  • Unvalidated Redirects and Forwards  

  • Input validation  

  • Cryptography    

 

Since there is a limited window for test, every instance of a specific finding might not be   uncovered. Eg if the assessor discovers SQL injection in a specific section, it may not uncover all the  sections which are affected by it.

2. Data & Information Security - Assessment and Recommendations Example 

Below is a sample findings and recommendations chart.  

3. Vulnerability Threat Category 

Priority 1 (P1)

Issues that pose a clear and present  danger to the confidentiality, availability  and integrity of the system or data. Any  existing mitigating controls are  ineffective or insufficient. Includes  readily exploitable issues that pose  severe financial, brand image, or  regulatory impact if  discovered/exploited. Any issue that  poses a direct and probable threat to  the company's confidential information  or customer NPI falls into this category. 

 

Priority 2 (P2) 

 

Issues that pose the highest and/or  significant immediate risk to the  confidentiality, availability and integrity  of the system or data. Any existing  mitigating controls are ineffective or  insufficient. Includes readily exploitable  issues that pose significant financial,  brand image, or regulatory impact if  discovered/exploited. Any issue that  allows compromise of the infrastructure  or allows anonymous access to  authenticated systems fall into this  category. Any issue that has a high  probability of occurrence. 
 

Priority 3 (P3)

 

Issues that pose a moderate risk to the  confidentiality, availability and integrity  of the system or data, and mitigating  controls that are either nonexistent or  ineffective. Includes readily exploitable  issues that pose moderate business  impact if discovered/exploited. 

 

Priority 4 (P4) 

 

Issues that pose a low risk to the  confidentiality, availability, and integrity  of the system or data, but could make  the application less safe or introduce a  problem in the future. This includes potentially dangerous issues that are not  directly exploitable. Includes readily  exploitable issues that pose low business  impact if discovered/exploited. Any  issues that have existing effective  mitigating controls.

 

Priority 5 (P5)

 

Anomalous items that either do not pose  apparent security risks to the  confidentiality, availability and integrity  of the Systems or data. These  computing system vulnerabilities rated  Priority 5 are provided for general  improvement suggestions or simply to  share information which may be of  interest to the technology owners.  Priority 5 advisories are not tracked or  notified. 

4. Next steps

If you have any P1, P2, P3 issues then the following sequence of events need to be undertaken    

  1. Vulnerability discussion: Vulnerability assessment team will go through the report with the client  team to explain the issues, and answer any queries the client team might have.  

  2. Remediation: Remediation steps are necessary for all P1, P2 and P3 issues and remediation  dates have been advised above. Client needs to get back on remediation plan including  timelines so that these issues can be tested. Retesting request is a part of remediation stage and  when getting back to us on retesting please clearly mention vulnerability number, Type (P1-P5),  likely remediation date, and fix details (i.e. detailed description on how the issue was fixed) eg  
    Vulnerability: 2  
    Type: P1  
    Remediation date: 15/10/2017  
    Fix details: PDO was used to prevent MySQL injection and the parameter email was sent  as a separate parameter  

  3. Retesting: Retesting will be conducted for all P1, P2 and P3 issues. As per the retest result the  issues will be either closed, remain open, or reassigned another priority level.  

  4. Publishing to live: All successful retest issues have to be confirmed that they have been  published to the live environment. A confirmation email is required from the client side  indicating the exact date for fixing the issue on live environment.  

  5. Closing the assessment: The assessment will be closed after all P1, P2 and P3 issues have been  resolved/closed successfully, and fixes for all these issues have been published to the live  environment. 

  6. You can also hire us to perform a non intrusive security audit which includes, data classification,  data flow diagram, network diagram, security fact finding questionnaire which checks for various  security requirements like employee training to hardware firewall. Please contact us at  info@sapnasecurity.com​ for more information. 
     

$6 trillion

Annual cyber crime damage costs by 2021

$1 trillion 

Cybersecurity spending from 2017 to 2021

3.5 million

Unfilled cybersecurity jobs by 2021

4 billion

People online worldwide
by 2020

$11.5 billion

Predicted global ransomware damage by 2019