Recently, web applications are among the most frequently forms of software who tend to be exploited using relatively simple vulnerabilities in order to gain access to private data. Even the most popular and said to be most secure applications are also the vulnerable, attackers rely on their secure reputation and develop easy and simple exploits to access a company’s cloud storage, internal executive level management information and redistribution of internal data.
Statistically, well over 80% of all publicly known exploits are due to known weaknesses in popular web applications. In many cases, vulnerabilities that result in a successful attack are completely ignored by conventional and automated testing methods. In similar cases, specific vulnerabilities are identified but incorrectly and considered inviolable due to the presence of protective technologies.
The service combines both automated and manual means of testing (the latter being carried out with priority). In order to identify the potential surface attack, a reconnaissance is performed. This phase is part of the penetration testing methodology which includes the following phases:
- Gaining Access
- Privilege Escalation
Alongside the phases, the penetration testers are required to know the access method:
- Black box test
Requires zero knowledge of the company's assets
- Gray box test
The attacker(s) have limited knowledge and certain credentials for restricted access to the system, provided by the client
- White box test
The attacker(s) are given complete access to the source code of the system, administrative accounts as well as any other information related to the systems that are under the scope
Tests performed by TAD GROUP simulate a malicious targeted attack. A report is issued at the end of the penetration test in order to provide an easily comprehensible description of the findings as well as recommendations on how to mitigate the vulnerabilities.
Assessments are conducted in accordance with the recommendations outlined in NIST SP 800-115.