Security audits and penetration tests
Is our service for you?
- You need to protect your data and maintain business continuity.
- You want to implement security tools but don’t have the resources.
- You need personalized reports to meet compliance and legal requirements.
- You have a technical team, but you need a higher level of security knowledge.
- You want to be sure that your internal infrastructure is safe and resistant to unauthorized actions of employees or partners working inside the network, which will reveal company secrets.
By combining knowledge and technology, Soflab Technology helps organizations optimize security and quality throughout the software life cycle.
Reliability, safety and speed in operation
At Soflab Technology, we use the knowledge of experienced specialists to offer IT security solutions that respond to the key challenges faced by organizations today. Taking care of the security of IT solutions and the data contained in them has become critical for the protection of the company’s resources and its business continuity. Soflab helps to effectively ensure that there are no events that could threaten the business future of the company and the legal liability of its managers.
Avoid financial losses
Protect your brand from reputational damage
Manage your risk
Determine the actual security level of the organization
Respond to advanced threats
Meet regulatory compliance requirements
What we can do?
“The best defense is attack” and “prevention is better than cure” – these statements rarely apply simultaneously to the same situation. The exception is IT security. Prevention is unlikely to be associated with offensive actions, but in the case of penetration tests it turns out that in order to effectively defend yourself against an attack, it is worth attacking your own system beforehand. The attack should be performed in a controlled situation to find any system weak points or configuration errors.
Verifying the design documentation regarding safety considerations
We provide comprehensive reconciliation of each project with the current legal regulations, including the GDPR. Adding a security specialist to the implementation team already at the design stage of a given solution allows you to avoid many errors and gives you the chance for large savings at a later stage of the application or IT infrastructure life cycle.
We perform penetration tests, i.e. controlled attempts to break the security, depending on the needs of customers, without knowing the details of the system structure (black-box tests), with partial knowledge (gray-box), as well as tests combined with a code review (white-box tests).
We conduct security tests based on OWASP (Open Web Application Security Project) standards, in particular OWASP TOP 10 Classification, OWASP ASVS (Application Security Verifiication Standard) and OWASP Testing Guide 4.0 (including best practices in security testing).
We perform security tests of mobile applications using emulators and on physical mobile devices, based on the classification of vulnerabilities and threats from the TOP 10 Mobile Risks list of the OWASP organization.
Auditing the security configuration of infrastructure and individual systems/ services
We conduct the audit using manual techniques and using automatic tools.
- verification of the approach to configuration,
- checking the security of the configuration with the use of automatic tools,
- performance-based risk analysis and safety optimization recommendations.
The subject of the tests are:
- unauthorized access,
- and missing fixes.
DoS / DDoS attack resistance testing
The aim is to detect the lack of protection against unwanted activities, which leads to blocking access to a given service on the Internet. We verify the most common types of DDoS attacks:
- UDP flood attack
Executed by dedicated scripts that generate UDP packets of random sizes and time intervals assigned to the estimated load..
- HTTP flood attack
Based on the simulation of various methods (POST and GET) supported by the application. The generated application traffic will not match the standard user, but the expected resource load
Static audit of source code
The main goal is to identify ineffective constructs and code snippets that reflect bad programming practice or security bugs.
Static analysis allows:
- increase efficiency and stability,
- avoid common programming errors,
- impose encoding rules and standards,
- increase safety at each subsequent stage of testing.
The analysis is based on OWASP standards, in particular on the OWASP Top 10 and OWASP Mobile Top 10 classification, but also on the verification of compliance with: SANS 25, HIPAA, Miter CWE, CVE NIST, PCI DSS, MISRA, BSIMM.
Social engineering, procedures and security tests
Our auditors will conduct a controlled social engineering attack to verify the level of security, compliance with security procedures and the level of information security awareness in the organization, e.g .:
- an attempt to persuade the employee to run the software from the provided flash drive;
- e-mailing campaign;
- an attempt of unauthorized entry into the building.
It is possible to conduct training for employees in the field of ICT security and current technical and social engineering threats.
How we do it?
Every wall can be broken through – it’s just a matter of time and skill. There’s always some risk. Zawsze jest ryzyko. Nasza usługa polega na tym, aby je zminimalizować.
- We identify the susceptibility of the company and its systems to conscious and unconscious security incidents.
- We evaluate the ability to detect and withstand common attacks.
- We help in determining critical changes or activities in the field of security and in preparing a plan of activities building security in the company.
We are involved at various points in the software development cycle. This approach that distinguishes us on the market allows us to support our clients at every stage of the project, enabling the planning of necessary test works, identification of potential threats and designation of design assumptions for the implemented solution. We provide practical conclusions in a transparent form. The results report describes the error reconstruction, possible threats and corrective actions.
Manual and automated testing techniques will be used during the tests. Both complement each other:
- We use various automatic tools, such as Nessus, Burp Proxy Professional, OWASP ZAP, SOAP UI, Metasploit and our own programming framework, which reduces the risk of avoiding security gaps by one of the programs.
- Manual audit includes manual verification of the application or vulnerability and is used to detect logical errors or the implemented functionality. Performing attacks manually allows for effective bypassing or analyzing protection filters implemented in the application and firewall systems.
know-how based on many projects in various industries
a team of competent experts
ready-made, proven, practice-based testing procedures
experience and selection of appropriate technologies and tools
our own methodology of Soflab Test Approach tests
our own Testlab with devices for testing mobile applications