Security Testing and Remediation
We are acknowledged by our clients for our technical expertise as well as our guidance and assurance from an information security perspective.
The following services range from identifying specific vulnerabilities to addressing them on their own infrastructure:
Penetration testing a new system is the ultimate validation that the design, development and deployment of that system is in-line with secure practices.
Our Penetration Testing Team continue to impress clients and developers when given access to a new system and subsequently are able to demonstrate the flaws within it. An organisation choosing to have a penetration test carried out, and in particularly a ‘Crystal Box’ one, is demonstrating maturity in the information security space. Ideally, this takes places once user acceptance testing is complete and before ‘Go Live’. This means there is still a chance to remediate any issues identified, retest to validate, and then release to the Internet.
By default, most Operating Systems (OS) that are installed ‘out of the box’ are general in nature and, by that measure, often insecure. They attempt to offer a broad range of services and with very few restrictions. Some vendors have partially addressed these issues through role-based installation and minimisation of unnecessary services. Despite these efforts, it is our opinion that the OS still requires a further layer of ‘hardening’ applied. Waystone can work with the organisation to determine the most appropriate hardening policy to be applied to a specific OS. Training can be provided in addition to ensure that an organisation’s own support teams understand the hardening process, the rationale for decisions on settings and problem resolution. We want the client to be self-sufficient, where appropriate, when it comes to OS Hardening. In the same way as the OS needs hardening, so too do the application layers that are installed. Whether it is a web content delivery application, a database application or some level of middleware, there is likely to be a level of hardening required. Our philosophy is that this hardening should never be dependent on one person or organisation and documenting the hardening is a key feature of our engagement.
Over recent years the move to ‘DevOps’ and other rapid development and deployment methodologies has, in some cases, led to a quality issue in terms of information security vulnerabilities being introduced. These may not be caught until the next major penetration test, and by then, the damage may have been done and a breach may have occurred. By carrying out source code reviews, and in particular, automated ones, many of these issues can be caught before code is ‘dropped’. We are able to provide a range of source code review options for clients, with the most popular being Static Application Security Testing (SAST). This automated process can save huge amounts of developer time and business frustration.
Organisations are at varying levels of maturity when it comes to software (or ‘application’) development. Delivering secure systems, that need minimal remediation at the application penetration and security testing stages prior to going live, can dramatically save time and cost.
We are able to facilitate the Static Application Security Testing (SAST) of source code that can achieve this objective and we are experienced in introducing the concepts of developing secure code all the way through to designing embedded steps in DevOps for automated static code analysis during code drops.
The Open Web Application Security Project (OWASP) is an internationally recognised standard for the development of online systems.
Our team of experts has extensive experience with OWASP and the implementation of the principles at both design and development stages. We work with an organisation to ensure that the principles of OWASP are integrated at all levels in the design and delivery of any new service. This greatly reduces the likelihood of any future issues.
The familiar idea that ‘security has many layers’ is as relevant today as it has ever been. Organisations must, however, still ensure that clear and present dangers with regards to their network perimeter are clearly understood and that mitigations are in place.
While conducting security reviews of firewalls and network perimeters we consider each client’s technical and functional requirements. We also ensure that each client’s specific threat surface and attacker Techniques Tactics and Procedures (TTPs) are considered. This is often achieved by assessing specific attack scenarios and using the identified cyber kill chain of these scenarios to realise mitigating TTPs that the client can implement.
As a key building block of most organisation’s systems, it is critical that Active Directory is configured to provide a solid foundation for the desired security posture. There is a vast array of parameters that can be set and many of the default settings, while simplifying administration, are not necessarily the most secure.