PENETRATION TESTING

Protecting customer privacy and preserving intellectual property presents a challenge to every organization. Some of the most security-savvy corporations have experienced a devastating loss of revenue and reputational damage due to serious security breaches. An effective penetration test (pen test) can help you face the challenge. Pen testing simulates attempts to breach your organization’s security, giving you a better understanding of the risks and consequences of an attack.

IOActive primarily uses manual techniques to test applications and networks for exploitable vulnerabilities that could allow unauthorized access to key information assets. We also use automated software tools and customized proprietary scripts. This analysis allows us to assess your organization’s security posture against real-world attacks. IOActive will identify security flaws that could allow privilege escalation, disclosure of sensitive information, injection of malicious code into trusted components, invalid transactions, and other conditions generally recognized as posing security risks.

Application Penetration Testing
IOActive’s application pen test assesses the level of security awareness evident in the design of your application and estimates the likelihood of security issues based on our analysis. We focus on attacking, modifying, and hijacking client-server interactions supported by your application and can even target data assets used in your backend database systems.

We find and attempt to exploit security flaws that could allow privilege escalation, disclosure of sensitive information, injection of malicious code into trusted components, invalid transactions, and other conditions generally recognized as posing security vulnerabilities. This approach allows us to identify all existing attack vectors and demonstrate the impact of a real-world attack.

Web Application and Web Services Assessments
IOActive’s web application pen test assesses the level of security awareness evident in the design of your web application and estimates the likelihood of security issues based on that analysis. We focus on attacking, modifying, and hijacking client-server interactions supported by the web applications and can even target data assets used in your backend database systems.

We find and attempt to exploit security flaws that could allow privilege escalation, disclosure of sensitive information, injection of malicious code into trusted components, invalid transactions, and other conditions generally recognized as posing security vulnerabilities. This approach allows us to identify all existing attack vectors and demonstrate the impact of a real-world attack.

Mobile Application Penetration Testing
IOActive’s mobile application pen test is extremely thorough and starts with reviewing technical design documents, process flows, and the application’s security architecture in order to identify application attack surfaces. The test then includes elements such as:

  • Pen testing the application using threat model information
  • Testing for repurposing attacks that could allow attackers to manipulate the application in unexpected ways
  • Performing decompilation to identify client-side logic and shared secrets required to interact with your web services
  • Examining application-to-application interactions and attempting impersonate system functions or sources
  • Attempting to bypass the authentication process or impersonate valid, logged-in users
  • Manipulating client-side code and locally stored information, such as session information
  • Altering client-side code to subvert authentication checking and establish the bounds of server reliance on client data fields
  • Altering API calls, URL request information, and GET or PUT requests
  • Attempting to escalate permissions by referencing application components with higher, server-side permissions
  • Exploiting race conditions to identify lax permissions or authentication checking
  • Attempting to subvert in-transit data between the client and server system
  • Testing for the “OWASP Top 10” vulnerabilities

Network Penetration Testing
During a network pen test, IOActive attempts to breach your network perimeter by subverting network devices, VPN solutions, and exposed servers. We build on our initial access to your network to probe the network core and associated devices. We then study token items within the perimeter to identify additional methods for compromising your network’s defenses.

After our initial analysis, IOActive assesses all authentication mechanisms, externally accessible network services, and externally accessible web applications. We also analyze network traffic, perform fuzzing tests, perform local host integrity checks, verify patch levels, and investigate scenarios where employees might be misusing company resources.

Wireless Network Penetration Testing
IOActive’s wireless network pen test reveals if an attacker can access your proprietary and sensitive data. We assess your wireless networks by identifying all wireless access points and then attempting to compromise them. We customize our methods, techniques, and attack vectors based on your implementation and the results of the wireless search phase.

Smart Grid Penetration Testing
IOActive’s smart grid pen test expertise highlights the vulnerabilities and methods an attacker could use against your smart grid meter platforms. Our goal is to apply focused testing on the areas that are most likely to be exploited or represent the greatest system impact.

Smart Meter Penetration Testing
Our smart meter pen test uncovers the vulnerabilities and methods an attacker could use against your Advanced Metering Infrastructure (AMI) system. We use a risk-based approach to understand the likelihood and impact of attacks. This information acts as a roadmap to identify where attackers will apply their efforts against your system.

< Back to Services Overview

Hardware
SERVICES