Proactive security, security by design and embedded security programs are critical in creating value in Cyber Security investment. With ever-complex programs, deployments at the click of a button and models/cloud architectures with seemingly no defined boundaries, never has the need been greater to get it right. To complement our Security Testing and Strategic Advisory programs, our suite of Assessment Services are designed to bridge the gap, maximise investments already made and ensure that risk is materially reduced.
THREAT, RISK & ATTACK MODELLING
“We Model Threat > Risk > Actual Attack Funnel”
Threat Modelling is part of a wider process and funnelling of the lifecycle that may lead to security compromise and offers significant return and value. At the top level, we use a variety of standardised industry modelling techniques together with interactive discovery and brainstorming sessions with your team to figure out the threat landscape specific to your environment, workflows and deployment. Not all threats present a risk – this is where risk modelling comes in, to establish the effective likelihood (risk weighting) of a threat. Attack modelling is the planning for and enacting of technical testing using defined sequences of tests against a methodology to establish whether risks are real-world exploitable.
Our team moves with you through the funnel, to establish realistic threats, risks and create a cyber/business heat map that can drive informed decision making, the deployment and tuning of your existing tools to mitigate and deliver a more effective ROI.
Threat = Evaluating the potential threats to an architecture
Risk Assessing = The likelihood of threats being realised through exploitation
Attack = Technical bug hunting, exploitation of the above
SDLC & DEVSECOPS EMBEDDED ADVISORY
“Embedding Security into the SDLC and Driving DevSecOps to Drive Value”
Software development practices recognise more and more that the best and most effective way of risk reduction and ensuring security best practice is to bake it in during the Software Development Life Cycle (SDLC). More so, good security design does not mean compromise to functionality, complexity and the creation of problems. Baking security into the SDLC can be viewed as simply another measure of quality and protection by design.
Embedding technical expertise is a clear solution. Our team will work with you throughout the SDLC lifecycle to help achieve sound application security design. This is a highly bespoke service and is fully customisable to each client with a number of implementation options all designed to add value, transfer knowledge and to drive security quality.
- Advisory in the design and scoping phase: getting the design right, at the outset
- Integrating as core part of the team: as a subject matter expert for advice, solutions and knowledge
- Security code review and dynamic testing: reviewing code for bugs as its being created and continual testing as a parallel activity stream.
Ultimately, we can together integrate with your DevOps to drive (or create) DevSecOps accountability in the SDLC life-cycle, to shorten and where possible, simplify the integration of good security practice with your software teams. DevSecOps is compatible with normal Agile processes and our goal is to aid decision making and take action at the same rate and in conjunction with your SDLC.
CONFIGURATION REVIEW: APPLICATION, CLOUD, INFRASTRUCTURE
“Establishing the Weak Link: Where Applications Meet the Cloud & IaaS.”
Information Security has clearly become a multi-dimensional discipline and the attack surface is both one of depth (in the application stack) and breath (across its deployment architecture). With back-end systems, infrastructure and cloud solutions as a service, the advantages for software programs are driving rapid rates of deployment. However, security as we know is all about the weakest links and we have seen over recent times exploits executed against configuration weaknesses of application, cloud and infrastructure as a service or integrations therein.
Our configuration reviews are designed to be holistic in nature to identify control gaps, common threats, uncover complexities and unknown exposures. Together we identify all the assets in a particular environment, service providers, stakeholders and examine your specific requirements for risk, compliance, policy and the effectiveness of your existing controls. A highly interactive consultancy process involving an eye for both detail and context in combination with our specific Cloud Security Assessment methods.
SECURITY BUSINESS & LOGIC REVIEW
“How Can Your Business Logic and Controls be Broken?”
Many security testing programs involve assessment that is generally from the “outside in” (external threat), initially from a pre-authentication perspective to see if it’s possible to “break in”. Depending on the findings, post-authentication testing may take place either by using a compromised account within an application or being granted credentials that are used to do further assessment work. A further fascinating area is that of business logic and context security.
Whilst normal post-authentication testing involves a great amount of detail, the testing teams use their own hypothesis – “can I laterally move around and gain access to other data?” etc. Our service in this context goes one step further. How can the business logic be broken?
With many applications themselves now being well designed, attention is being turned to the abuse of business logic testing and implementation. We work with the business to establish what logic rules have actually been designed and create a series of post-authentication tests to assess authentication and role-based security and how effectively business logic and application control is actually implemented.
CLOUD SECURITY ASSESSMENT
“The Cloud – a Magnificent Architecture that Can Bring About Unforeseen Complexities”
With Cloud services comes so many new dimensions of risk, where the components of an overall environment may span traditional Infrastructure and some Cloud components for specific tasks (hybrid Cloud) to full use of Cloud for both Applications and Infrastructure (and everything in-between). Unlike a contained application, the boundary of security controls and flow does not start and end with defined boundaries, nor can we sit it within our own DMZ and apply traditional management and monitoring to it.
Security weaknesses in the cloud per se are not the scope of our team’s review or work in this instance. In this aspect of our service, we assess the integration and the hand-off/delineation of responsibility and service and uniqueness of design in infrastructure, applications, data and integrations of our client’s overall environment.
In terms of methodology, we use best practice plus our own methods. The Cloud Penetration Testing Handbook provides a good basis for the high-level work and approach for testing but like all great frameworks this forms the basis for expert work and this is where expertise, workflow and IP are required on top of such methods.
We work with you to examine and validate the myriad of components, data flows, hand-off’s of responsibility, layers of IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service) give rise to so much opportunity for flaws to be expressed and inherent vulnerabilities to be exploited.