Our Approach and Methodology
The SecureState Profiling Team are well known and highly regarded as
experts in Penetration Testing. Our approach follows industry accepted
testing methodologies such as
OWASP and OSSTMM.
By following these methodologies, our clients can accurately replicate the
testing SecureState has performed in their own environment to accurately
mitigate identified vulnerabilities. The SecureState Profiling Team also
helps identify strategic “root cause” issues through our Penetration Tests.
Our Risk Management Team is uniquely positioned to work closely with the
Profiling Team in order to assist clients with mitigating these strategic
“root cause” issues.
Phase I – Pre-engagement Interactions:
In this phase, SecureState works with the client to establish the rules
of engagement as well as the scope; and exchange contact information for
both parties. SecureState provides a detailed Project Charter which contains
information on scope and everything that will be required to conduct the
testing. In addition, The Project Charter is discussed during the kickoff
call prior to the beginning of the engagement. Lastly, SecureState requests
two sets of credentials for each user role to be tested. For example,
SecureState will test the roles of a standard user, as well as an
administrator account during the Grey Box WAS Assessment.
Phase II – Information Gathering:
SecureState identifies application entry points, search engine
reconnaissance, and analysis of error codes. Additionally, SecureState
manually maps the application to collect session information as well as
cookies and business logic information.
Phase III – Configuration Management Testing:
In this phase, SecureState tests for HTTP methods, SSL weaknesses, and
infrastructure configuration management vulnerabilities.
Phase IV – Authentication Testing:
SecureState tests for user enumeration, brute force testing, and
authentication bypass vulnerabilities.
Phase V - Session Management Testing:
In this phase, SecureState tests for session fixation, session variables,
and testing for CSRF (Cross-Site Request Forgery).
Phase VI – Authorization Testing:
SecureState tests for Path Traversal, User Roles and Permissions Testing,
and Privilage Escalation vulnerabilities.
Phase VII - Business Logic Testing:
SecureState manually looks at ways to bypass the business logic of the
application. This can be as simple as parameter manipulation, or modifying
the logic of the application via a web proxy.
Phase VIII – Data Validation Testing:
SecureState tests for XSS (Cross-Site Scripting), SQL Injection and other
code injection flaws. As well as HTTP Response Splitting.
Phase IX - Other Testing if Applicable:
SecureState will test for specific vulnerabilities in heavy Ajax enabled
applications. Additionally, per client request, SecureState will conduct
Denial of Service testing. This type of testing is normally not conducted
unless authorized by the client.
Phase X – Reporting:
As part of the deliverable, SecureState provides a report which contains
a short graphical summary aimed at senior management, a narrative body which
details major findings, and a detailed findings section aimed a technical
staff. SecureState also provides a closing call and a high level executive
presentation to summarize the testing; as well as provide an opportunity to
ask questions about the engagement.