Application Security

Penetration Test

The process through which the security level of a network or an IT system is assessed is called Penetration Test. By means of the simulation of a wide scenario of cyber-attacks, this test provides an overall view of the effectiveness of the system’s security posture and highlights its vulnerabilities and deficiencies.

Our specialists’ experience in the field of application security is not only due to Web and Mobile Penetration Test activities, but also to long sessions of training, bug hunting and security research. Our methodology in providing security assessment services is in line with OSSTMM and OWASP standards.

Web Application Penetration Test (WAPT)

A Web Application Penetration Test is adversary simulation where our security researchers simulate an attack against the customer’s web application to find security issues.
The aim of the test is to identify weaknesses that could compromise the Confidentiality, Integrity, and Availability of the information processed by the in-scope portals.

Mobile Application Penetration Test (MAPT)

A Mobile Application Penetration Test is the service that better allows mapping the vulnerabilities of a Mobile Application (Android and iOS). Through a simulated third-party attack, the MAPT process aims at identifying weaknesses not only in the application itself (i.e. Buffer Overflows, Insecure Storage, Exposed IPCs / Services / Intents, etc.) but also in the APIs queried by the application (i.e. SQL Injections, Authentication Bypass, Insecure Direct Object References, etc.).

Black-Box Penetration Test

A Black-Box Penetration Test could be considered a real-world attack simulation. The only differences from a real attack are the objective and the time-frame: this simulation is not aimed at causing damages and has a limited time-frame.
With this approach the customer only provides the target URLs / Applications and the credentials, letting the penetration testers the task of getting their way through the scope to find the security issues.

White-Box Penetration Test

The White-Box Penetration Test is the most effective approach as it allows the testing team to access the source code, the servers configurations, the documentation, and a direct line with the developers.
This process aims at discovering not only the evident vulnerabilities but also insidious ones, which require a deep understanding of the platform flows and the relations between inner components.
One side effect of this approach is the ability to give precise suggestions to fix the vulnerabilities and to allow developers to easily identify and prevent vulnerable code patterns.

Code Review

Code Review is the perfect tool to check the security level of both a custom made and a third-party software.
Our study is manually carried out by our specialists, who are also provided with statistical analysis tools which can either be commercial or custom. In the second case, we develop our own implements in order to identify every kind of vulnerability in the most effective way.
Our knowledge about secure coding and offensive application security guarantees a double-check during the process, the main objective of which is to deliver a scientific and reproducible approach to security measures assessments.

Security Trainings

The growing importance of IT security is leading more and more companies to feel the need to raise awareness about this topic among their staff. This is why our course for Software Developers is born.

The course is held by experts in Application Security with a lot of practical and real-world examples tailored on the technologies used by the customer and aims at providing fundamental notions of Secure Coding that will be assessed through a final test.

The course is focused on the following topics:

  • Understanding The “Security Approach”
  • Most Common Vulnerabilities
  • Threat Modeling 101
  • Spot the Vulnerability - Practical
  • Patch the Code - Practical

We popp’d shells on Applications used by