CROZ’s team of experts for offensive security performs the complete check of security of an IT system. The service is based on top global tools for checking vulnerability and penetration testing and highly trained security engineers. Tools, activities, and methodologies used during the CROZ Xray security check are:
1. IBM Appscan
A tool for checking vulnerability in web applications that can track the most hidden oversights through a detailed analysis of the code. The service includes:
- checking and detecting vulnerability on web applications, optional use of vulnerability, and elimination of false positive results
- consultancy services provided by CROZ’s programmers that include the interpretation of results and consulting on correcting the detected vulnerabilities and configuration oversights
- glass-box testing (pointing to a specific line of code that caused the detected vulnerability on the web application)
- checking the source code (integration with Visual Studio, Eclipse and Rational® Application Developer for WebSphere. Supported languages: ASP (JavaScript/VBScript),C/C++,Client-side JavaScript (JQuery and MooTools),COBOL, ColdFusion, Java, JavaServer Pages (JSP), Android,.NET (C#, ASP.NET, VB.NET), Perl, PHP, PL/SQL, T-SQL, Visual Basic 6).
2. Rapid7 Nexpose
A tool for checking vulnerability and security configuration on the infrastructure (servers, network devices). The vulnerability check produces reports that point to oversights in the system related to outdated versions of the software or incorrect or insecure configuration of the system. The service includes:
- checking and detecting vulnerability on operative systems, network devices, and web platforms
- interpretation of results by CROZ’s security experts and optional penetration testing to eliminate false positive results
- analyzing and comparing the results to a PCI template
- additional vulnerability check on web platforms: a combined check using the two best global tools for checking web vulnerability ensures that no oversight goes unnoticed
- creating and delivering reports with a list of vulnerabilities of the configuration
- comparing configuration settings of operative systems with the CIS safety standard
- consultancy services by CROZ’s security engineers related to priorities and methods of handling the identified vulnerabilities
- recommendations and guidance on the further improvement of system security
3. Penetration testing based on the Penetration Testing Execution Standard
The service of penetration testing includes:
- Collecting information
- Enumeration
- Detecting vulnerability and analysis
- Using identified vulnerabilities
- Creating reports and consultancy on the necessary steps to improving system safety
Penetration testing is not an automatized process. The type and scope of penetration testing both depend and adapt to the needs of the user. By following the world renowned Penetration Testing Execution Standard, the service ensures a high level of standardization and detail, as well as the high involvement of engineers. During testing other tools such as Metasploit, nmap, hydra, Wireshark, Cain & Abel, and burpsuit are also used, and each assignment is tailored according to the user’s needs.