WIXLIB

Alignment & SetupFrequency of TestingAnnual Manual PentestOur customers often ask us what the bestfrequency of testing is. Many settle for yearly assessments,or when major changes are made to applications orinfrastructures. However, it is becoming more and morecommon to perform very frequent small incrementalupdates to applications (when using Agile, DevOpsand CD/CI software development models). This makesPeriodicalDelta Testing(automated)PeriodicalDelta Testing(automated)it necessary to adapt the testing frequency also, and isthe reason that Secura also offers a Continuous Scanningservice where applications are tested first manually, thenautomatically every month, week or biweekly. Given thefrequency, test reports for the automated test will be delta-PeriodicalDelta Testing(automated)reports, only providing differences with the previous reports.Application of StandardsLevel 3: High value, high assurance, or high safetyIt is Secura’s vision that security will moreASVS Level 3 is the highest level of verification within theand more be supported by security metrics, and be madeASVS. This level is typically reserved for applications thatmore measurable, reproducible and comparable through therequire significant levels of security verification, such as thoseadoption of (technical) standards and baselines.that may be found within areas of military, health and safety,critical infrastructure, etc.OWASP ASVSSecura performs application testing according to the OWASPIn a standard security assessment, Secura focuses on testingApplication Security Verification Standard (ASVS) for web, APIan application for all known vulnerabilities, including contextand mobile applications. We not only test according to thoseand business specific tests. Clients who want to obtainstandards but also report our findings using this structure.assurance on the security of their applications according toBesides testing and reporting according to ASVS, Secura alsothe ASVS standard, may choose the ASVS Assurance serviceoffers Assurance services according to the three levels offrom us. This guarantees that we have checked all controlsthe OWASP ASVS standard:as relevant for the corresponding levels and provides a reportthat can be used by an auditor to show compliance to theLevel 1: First steps, automated, or whole of portfolio viewstandard.An application achieves ASVS Level 1 if it adequately defendsagainst application security vulnerabilities that are easy toOther Standardsdiscover, and included in the OWASP Top 10 and other similarSimilarly, we perform configuration and hardening reviews,checklists.and apply the CIS baselines to them to provide insight intocompliance to them.Level 2: Most applicationsAn application achieves ASVS Level 2 (or Standard) if itOur VA/PT testing services are often also used to supportadequately defends against most of the risks associated withaudits and compliance schemes such as DigiD (for the Dutchsoftware today.national authentication scheme), Common Criteria and BSPA,for which Secura is an accredited test lab.

VULNERABILITY A SSESSMEN T & PENE T R AT ION T E S T IN GResultsToolingAll our Vulnerability Assessment and Penetration TestingTools, including vulnerability scanners, are an importantservices result in a written report in English, with Dutchpart of the services we provide, but we do not rely on themas an optional alternative language. This report containsfor everything. In fact, most of the work we do is manualan introduction, a management summary describing alltesting, supported by tools such as Tenable Nessus Pro, Burpthe important risks we identified, and a technical sectionSuite, Sonarqube, AppScan and many others. We use (anddescribing the steps we took to identify the risks. This meansdevelop) our own scripts for many purposes and maintain athat in contrast to many other providers, your developerslarge collection of smaller tools in our repository.and engineers will be able to repeat our actions using theinformation in the report, and validate for themselves whatSpecific tasks sometimes have specific tools, and this iswe found. As we have dedicated teams running thesewhy we also use tools such as IDApro for binary analysis,security assessments all the time, you also have assuranceCloud scanners for checking cloud configurations and CISthat all major risks are known to you and can be mitigated.baseline scripts to check for compliance against the CISIn our report we tell you what to fix, and with what priority.baselines.We score vulnerabilities according to the CVSS3.1 standardand also can provide findings in other formats such as JSONAnd when it comes to hardware and wireless technologies,(for integration with issue trackers) and as Excel sheet. Ourour lab is equipped with Software Defined Radios (SDR), (de)recommendations are actionable and risk scored: you willsoldering stations, logic analysers, and a slew of interfacesknow exactly what to do first.for testing hardware such as Bus Pirates, Facedancers,JTAGulators and many others.The TeamSecura’s pentesting team is made up of several dozenWe like to keep our lab and tools up to date, and are alwaysspecialists, with varying experience levels (juniors, mediorslooking for new and exciting ways to make testing betterand seniors) and specialisations. All testers are certifiedand more efficient.to a minimum standard (eWPT) while most have multiplecertifications such as OSCP, OSCE, eCPPT, GIAC GPEN, SANSand many others. We actively encourage development ofour specialists, and provide them with the opportunity todevelop themselves and perform security research.

1.Preparationand Information2.Test andAnalysis3.Report andExplanation4.Retest orPeriodic Followup ScansTest ProcessPhase 2: Test and AnalysisSecura follows a phased approach to all security assessments.In this phase, Secura assesses which vulnerabilities canFirst, the preparation of the assessment takes place, thenbe identified by conducting an investigation by a teaminformation about the target systems, components orof experienced security specialists. The strength of theapplications is collected, then the assessment is carried outassessment is the way in which we use our technicaland finally the report is written.knowledge and logic to find vulnerabilities. In order towork as efficiently as possible, we also use tools and scriptsPhase 1: Preparation and Information Gatheringdeveloped partly by Secura itself. The research results in rawGood preparation is essential and ensures a time-efficientdata and potential vulnerabilities that are then manuallyexecution of the assignment.checked for ‘false positives ’.The activities in this phase are: Determining a complete overview of the target systemsPhase 3: Report and Explanationin scope (e.g. IP addresses and URLs).This phase consists of writing and reviewing the report If youDrafting and verifying indemnity statements (especially ifwish, we will be happy to discuss the report with you andthird parties are involved).review the findings together.Designating and establishing technical and operationalcontact persons.Phase 4: Optional Retest or Periodic Follow-upDefining scan frequency and timing (in consultation withScans and Delta Reportsthe client).Retests or periodic vulnerability scans are a necessaryValidate that login details required for the assessmentcomplement for organisations working with ever-expandinghave been delivered (if applicable).IT infrastructures and ongoing application developmentprocesses with very regular updates. In these situationsBy collecting as much information as possible (e.g. by usingit is almost impossible (and also very cost-inefficient) todata from publicly available sources) we get a completealways have a (thorough) manual security assessmentpicture of the systems in the scope. The information that canperformed. That is why Secura can perform automatedbe collected includes:vulnerability scans periodically after a manual penetration Systems within the scope.test (either applicative or infrastructural, or both), whereby TCP- and UDP ports with active services.the frequency and timing are tailored to the customer's Known vulnerabilities in underlying services.development methodology. This gives you the best of the Application or frameworks used.unique expertise of a Secura security expert and frequent (Sub-)domains.scanning to optimally mitigate security risks. Functionality (authenticated) of user roles (if relevant). Accessible web services and/or APIs.Whatever the type of test, we will always coordinate with (possible) External links.our customers to determine if the services can be delivered Any other relevant scope details: physical, people,remotely over internet, or onsite, or a combination of both.process etc.

VULNERABI LITY A SSESSMEN T & PENE T R AT ION T E S T IN GVA/PT ServicesWe hope this overview has provided some backgroundWhen deploying applications in the cloud, thingsto our VA/PT service offering. And while thecan become quite complex due to the shared responsibilitypossibilities are endless, there are of course severalmodel. In a Crystal-Box Cloud (CBC) assessment, SecuraVA/PT services that are more popular than others.tests not just the application or infrastructure from anexternal perspective, but also from the perspective of cloudIn a Black-Box Infrastructure (BBI) assessmentsecurity settings: usage of storage encryption, authenticationor Black-Box Application (BBA) assessment, Secura testssettings, IAM configuration, logging and monitoringthe externally visible infrastructure or application frometcetera.an attacker’s perspective without information or logincredentials upfront. What could an attacker do, given just arange of IP addresses or URLs.Internal Penetration Tests (IPT) are a great tool forimproving the security posture of your internal network. Ifan attacker or a piece of malware gains a foothold in yourIn a Crystal-Box Infrastructure (CBI) assessment,network, it is essential to know what weaknesses exist thatSecura is provided with access to, and configuration detailscould be leveraged for them to gain access to the ‘crownof, infrastructure components such as Windows Servers,jewels’ in your network. With an internal pentest our expertsfirewalls, databases, routers, Unix/Linux servers or any otherwill test your resilience against these types of attacks.appliance or middleware. Together with the customer’sengineers, we then review the security settings of theRed Teaming (RT) is an increasingly popular methodtargets, and compare them to best practices or vendorof testing that incorporate internal and external penetrationrecommendations.testing with social engineering and physical access controltesting to assess the cyber resilience of your wholeIn a Grey-Box Application (GBA) assessment, we testorganisation. Secura is also one of the accredited parties tofrom an authenticated perspective, which vulnerabilities canperform TIBER Red Teaming exercises in the financial sectorbe found in the application, including relevant APIs. Becauseaccording to the scheme devised by the Dutch Central Bankmany applications support multiple user roles, an importantand now rolled out across Europe in the TIBER-EU scheme.part of such tests is assessing the separation of these roles:can a user see data and functions from another user with thesame or a different role.Code Reviews (CR) are a part of any Crystal-BoxApplication assessment, but can also be performed asstand-alone projects, especially when code quality of specificA Crystal-Box Application (CBA) assessment takesresearch questions need to be addressed such as correct usethe GBA some steps further, by having the source code andof cryptographic primitives, software libraries or memorydesign information of the application available to the testers.usage.This makes testing a lot more effective and makes it possibleto find vulnerabilities that would otherwise be very hard toidentify. For high-risk applications, such as when dealing withfinancial or patient information, this type of test would bethe preferred method.

Example CasesBelow we provide several examples of the projects we haveFor a grid operator, Secura tested the smart meterrecently done for our customers. Secura performs over a4G-communications modules and backend infrastructure.thousand security assessments every year, and as a result weCryptographic protocols were analysed and firmware wascan provide many references if required.tested. As a result it was determined that all protocols hadbeen implemented correctly and that proper safeguards hadFor a large online retailer, Secura performed a grey-been provisioned in the backend to prevent manipulation.box application assessment. During this assessment, weidentified several ways of manipulating content of theFor an international high-tech company, Securawebsite, including ways that would impact visitors to the siteperformed an internal penetration test of their world-widenegatively. We were also able to trick the payment API intonetwork, leading to a full compromise of the windowsthinking articles were paid for when they were not, leadingdomain, despite many mitigations already being place.to a possible fraud scenario. The customer was able to fixThe remaining risks were subsequently addressed in anthese issue even while we were testing.improvement plan. Additionally, SIEM use-cases were madeso that future exploitation of these issues would be detected.For a government institution, Secura performed ablack-box infrastructure and application assessment. ThisFor a financial institution, Secura performed a Redlead to the identification of several inadequately securedTeaming exercise where several attack paths were uncoveredmanagement interfaces and missing important patches forthat could have led to significant compromise, if abused by aseveral other network services.malicious actor. Also, the Blue Team was trained and testedits responsive capabilities, leading to a valuable increase inFor an international job and labor broker, Securainsight into the bank’s security and providing them withperforms biweekly automated and manual tests of theiractionable recommendations for improvement.acceptance environment of the main web application. Yearlycrystal-box application tests are performed on the productionFor the Dutch government, Secura performed a sourcesite, in conjunction with the frequent periodic scans so thatCode Review of the national COVID-19 contact tracingthis customer has a high level of assurance that securitymobile app, on both iOS and Android.flaws will not be present in the production environment.

VULNERABI LITY A SSESSMEN T & PENE T R AT ION T E S T IN GOur Related ServicesWhilst VA/PT might be a popular way to test security, Securacyber-attacks: hacking, OSINT, physical access and socialoffers more, and sometimes more interesting ways of testing,engineering. A Red Teaming exercise is often done when thedepending on your testing targets and focus.basic security hygiene is under control (in terms of people,process and technology). A red teaming exercise gives valuableTechnology Focusinsight on how attackers may access (in a targeted manner)If there is a need to gain the most detailed level of insight intoyour digital “crown jewels”.your security posture, Secura can perform ConfigurationReviews and Source Code Reviews. With all the sourceSecura is one of the few parties in the world that performscode, information and access available (see crystal-box testingRed Teaming exercises in the Operational Technologyabove) it becomes possible to provide a detailed analysis of all(OT) domain, for instance on Utilities and Grid operators, orsettings and code aspects of servers, applications and cloudOil & Gas plants. In the OT domain it is not always possibleenvironments, giving our customers the best possible advicehowever to test security in an offensive way due to the risksfor increasing the security of their environments.of disruption (although we know how to handle such risks).Therefore, a less intrusive way of testing OT environments isPeople & Process Focusthe OT Risk Assessment, which is more inspection-orientedWhen you want to test the cyber resilience of not just anbut can be very valuable in providing a baseline security modelapplication, but your whole organisation, you will have tofor environments with industrial controls systems.take other factors into account, such as physical security ofbuildings, offices or production plants. Secura has the skillsFrom our Red Teaming experience, we have also learned howand experience to test physical access controls, and this isto test the detective capabilities of SOC/SIEM implementations.often combined with Social Engineering (SE) exercises whereYour security does not only depend on preventive measures,the human aspects also come into play: is it possible for anbut also on the effectiveness of detective measures and Securaattacker to gain entrance to your building by, for instance,has developed a process and tooling under the namesimply faking an appointment, thereby being able to penetratePurple Box that provides heavily controled simulatedthe internal network or leave rogue devices behind? Andattacks in order to test detective capabilities of the SIEM andwhat information is leaking onto the internet and mightresponsiveness of the SOC.this be abused by an adversary? Investigating Open SourceIntelligence (OSINT) data allows Secura to paint a detailedOf course, Secura understands that processes, policies andpicture of the exposure your organisation has on the internet.procedures are an integral part of your security posture, andwe have services to assess those aspects also. If you wantIntegrated Scopeto assess your compliance to the controls of your securityIn a Red Teaming exercise all these aspects come together,management system (e.g. ISO 27001, NEN7510), Secura canand based on scenarios, Secura tests the full spectrum ofperform a gap analysis or a more formal audit, pinpointingpossible risks gaps and weak spots.Interested?Would you like to learn more aboutour services? Contact us today:Follow us: 31 88 888 31 00info@secura.comsecura.com

testing web application security is to perform black box testing on the infrastructure, and grey box testing on the application itself. Another common black box penetration test is a penetration test of the internal network (plug in and see how far you can ge