Complementing our Strategic and Expert Advisory programs is a deeply technical Security Testing team. Comprising a group of specialists and generalists we have a diverse skill-set together with distinct workflow, teaming, methodology and reporting capability that sees quality control baked into every stage. Importantly, we promote active and open communication with our clients in this area of practice to ensure that we do this essential work together.
Core to our stack of Technical Testing expertise is our expert team of Pen Testers who specialise. Fundamental to great tests is the combination of great expertise (practice and rehearsal), interactive communication with our client as an overall team together and being thoroughly organised (simple, but on scale, this is where the industry tends to not do so well).
Great Pen Testing is about doing more (see Culture section for further info). Focus, Deep Work, Wider Research, Methodology Workflow, Systematic Reporting Tooling and Quality Control separates quality in this field as does the recognition that a firm can only specialise in a few core areas. Our expertise thus covers a defined field of knowledge, and we are open to calling out our limitations as that’s in the best interests of everyone.
CODE REVIEW & DYNAMIC TESTING
Code reviews are interesting as they can be modelled in a number of ways:
CODE REVIEW TOOLS
These present a first filter and quality gate to find bugs as they are happening. By combining our Strategic Advisory Services & Expert Assessment of embedded/augmented teams we can help you “drive” this aspect of the more effective usage of your own security tooling in the context of your SDLC.
STANDALONE / “STATIC” ASSESSMENTS
By using your tooling above on a per project/code stack basis or having our teams use scripted or manual review techniques of key code repositories and libraries.
We combine both Static assessments and live sites to create “Dynamic” testing. The benefit is that we can see live the effects of parameters actually being passed to Databases or Web Services calls being made.
All three techniques have their own degree of value but all benefit from the different perspectives of an expert Security Testing team driving the process. The degree of interactivity you choose between our teams is very much dependent on your objectives. However, the feedback loop is essential and we take great pride in sharing not only what is found in such reviews but also sharing with your developer team through your report or interactive Q&A/feedback sessions the “how” the bugs and findings came to be. We can even run a session for your developers to contextualise our findings and support you in your communications internally.
A fascinating area of almost unlimited scenarios and combinations, adversary simulation is designed to transition away from the auditing aspect of Vulnerability Assessments and Penetration tests and instead simulate a series of attacks against some aspect of a target (in this instance a Client who is engaging such services).
Our Red Team functions in a multi-dimensional way and this is a highly flexible approach that we design with our clients. Practical considerations are as follows:
- Breadth vs Depth vs Gates: The realities of commercial engagements are that we can’t have unlimited time and scope. Some clients opt for a wide breadth of scope to identify multiple vectors of target Penetration, versus depth of compromise. If depth through for example a pivot can be achieved, where and when to stop becomes a time versus value discussion (aka gates where choices can be made by our client) there could be other routes of equal discovery value.
- Threat Modelling: Degree of Threat Modelling undertaken to build Tactics, Techniques and Procedures (TTPs). This links in with the wider formulation of Red Team goals and planned attack scenarios that are often established between us and our client team to achieve the best outcome.
- Reality: Respecting that Clients have live systems and live service to maintain, how to establish the best way of emulating real attacks with limiting the impacts by using for example development environments, or out of hours/non-peak hours testing.
- Blue Team Communication: Level of communication with your “Blue Team” to share knowledge and actively test internal controls, tooling and feedback/interaction with your SOC Cyber Personnel.
- Existing Red Team Collaboration: To mix it up, we can blend the skills of our team with that of your internal Red Team to give more informed views and different contexts of attack scenarios and contexts of threats. This is an exciting hybrid as it enhances efficiency, provides easier access to Blue Teams, helps greatly with knowledge transfer (to both Red and Blue) and has a commercial efficiency advantage. It’s also great fun and highly interactive and adds a degree of live operations safety margin into the engagement.
COMPLIANCE SECURITY TESTING
Security testing is about managing risk and risk itself is both a subjective and objective term based on appetite, perception, threat (real or otherwise) and compliance. Not all stacks can be tested all the time for everything and that’s just a simple reality. Further, the scope, type and focus of each test vary with the requirement.
Compliance testing mandates a set of key testing regimes against specific scopes and is highly dependent on the requirements of the Compliance framework itself. Whether the test is needed for PCI compliance etc., our team will work with you to establish the correct scope, depth and cadence needed for your compliance testing, in combination with other aspects of risk or applications that may not be applicable just in compliance testing.
Fundamental to Technical Security Testing is the art of Vulnerability Assessment. This term is more than just a suite of tools, it’s about the discovery, validation, contextualisation and deduplication of the landscape of security bugs that are present in an overall environment. Vulnerability Assessment is the starting block for wider Assessment Services such as Attack Modelling (part of the Threat Modelling piece) and the beginning of a part of a wider Penetration Test. Interestingly, Vulnerability Assessment also pertains to the wider context of vulnerabilities in wider business logic and rules-based engines too.
Many of our more mature clients have Vulnerability Assessment engines already in place but the fundamental problem is coping with their output as they do “find stuff”. The art is in assimilating these findings, contextualising and prioritising them to give an overall technical risk framework. By blending both technical skills, the use of tools, and our wider Assessment and Strategic services, we are able to advise clients on both optimising their VA toolsets, and in some instances embedding expertise to help run such estates. Contact us for more detail.