Dynamic analysis of the application and exposed APIs supporting vital client information will be tested to validate the security posture. VerSprite conducts a detailed analysis of the overall application and interfaces, which include the following:
Demonstrating Viability of Attacks
The feasibility of exploitation is what we focus on: solving for the probability variable in a risk analysis of realistic attack patterns. Targeting exposed corporate network nodes, hosted infrastructure, supporting platforms, or pivoting off third party solutions – we aim to emulate current and advanced attack patterns in both black box and gray box scenarios.
Testing Production Environments
If you are in the energy sector or do not have a staging or mirrored production environment, you may have concerns about uptime when performing network security tests. VerSprite has an approach that focuses on testing these environments with greater precision based upon a network threat model where we first understand current network usage patterns and SLAs for uptime prior to testing. Special testing windows can also be performed for these types of environments where a higher level of precision and care is needed for security testing.
Let us show you how a threat model pen test can make a vast difference in both testing and in messaging of risks.
Application Security Testing
Ever wonder which top ten list cybercriminals are reviewing to attack your flagship application next? Neither are we. Yet Fortune 50s are still subscribing to products that use these lists to evaluate their apps. Get to know a more evolved mantra around AppSec testing led by application threat models. We build custom attack patterns that map to application use cases as part of manual exploitation exercises against any application types. From mainframe supported systems to traditional client-server applications, our versatile approach feeds a risk-centric threat model that inspires a greater understanding of what is at stake.
Expertise in Testing Varied Application Models
VerSprite tests various application types as part of its overall suite of pen testing services. We can help identify security risks that may go undiscovered if not properly tested in client software, mainframe, web applications, fat clients, embedded software, and more. Regardless of what language your application is written in, VerSprite has a breadth of coverage in penetration testing to ensure that we can emulate attack scenarios for any type of application. Our consistent focus is to test exploitation possibilities for discovered vulnerabilities and weaknesses in your application model. For more information, please drop us a line.
Dynamic Application Security Testing
When people think of DAST, they think of tools that run scripted security checks. Many don’t realize that DAST testing efforts can come through humans that can manually code evolved application scripts that seek to abuse application use cases. VerSprite’s AppSec teams are going to be able to manually write better, more up to date payloads for your application compared to your enterprise scanner whose signatures are more dated. Come discover how VerSprite can marry both automation with niche manual dynamic analysis via its AppSec DAST services. Now offered as both a managed service as well as time boxed engagements.
Static Application Security Testing
Much like automated DAST solutions, false positives are produced with static analysis of source code reviews, particularly when pure automation is involved. For any given application where thousands (if not millions) of lines of code are ingested into a solution, many developers begin to receive an endless list of findings that are often riddled with the following:
1. False positives that consume developers time
2. Security findings devoid of any threat context
3. Static findings that are devoid of supportive dynamic results
Discover how VerSprite can build a managed or time boxed SAST solution for you that addresses the above via a hybrid SAST/ DAST model and one that is guided by an application threat model – in order to focus on the most impactful security weaknesses in your application.
VerSprite knowledge about the different SAP Layers and how they make up the netweaver framework allows the team to perform a thorough review of the SAP landscape, Application Servers and Clients. Additionally, our recommendations on security best practices for SAP Segregation of Duties will help you improve your SAP Profiles as well as avoid common pitfalls due to security misconceptions.
VerSprite includes in the scope all the different layers and components within the SAP ecosystem: SAP Network and Web layer as well as lower layers that go from the DB and OS platform where the ERP is running to the different proprietary SAP protocols such as DIAG. The SAP Router and Web Dispatcher are main components within this scope but VerSprite will also help finding security issues also on the Management Console, SAP GW and RFC Dispatcher, SAP ICM and the SAP J2EE HTTP.
VerSprite's pen testers emulate cyber-criminal intent around invasion of countermeasures and quietly seeking to achieve target goals. As a group we feel that we truly capture and understand the cybercriminal aspects in associated threat motives in order to emulate attack patterns that support real-life threat motives. Clients have consistently discovered dramatic differences in results, findings, and overall approach to how we do manual penetration testing efforts.
Beyond our passion that fuels our desire to emulate cyber related attacks, we also leverage and are proficient with reputable frameworks around penetration testing. As a group, VerSprite’s AppSec group supports and interfaces with global organizations that seek to improve this misapplied and misunderstood practice that is penetration testing. The following are global standards that VerSprite’s AppSec supports as part of its AppSec services: