CYBERSECURITY
Protect your business from cyber threats:
a strategic step towards sustainable growth.
Standards:
OWASP WSTG, OWASP MASVS
NIST, ISSAF, PTES
Required documents:
NDA | Security Assessment Agreement
Targets: Web, Mobile, Infrastructure (internal/external)
WEB
Penetration testing of web applications is a process that includes a series of steps aimed at collecting information about the target web applications, searching for vulnerabilities in them, and creating or searching for exploits that can successfully compromise them.
Standards: OWASP WSTG
MOBILE
Mobile penetration testing aims to identify flaws that would avoid data leakage or theft for mobile applications (Android, IOS).
Standards: OWASP MASVS
Infrastructure
A security assessment of an organization’s internet-facing infrastructure, such as operating systems, cloud services, servers, and firewalls, requires specialist testing capabilities.
Standards: NIST, ISSAF, PTES
Our Cybersecurity Audit Methodologies
Black-Box (Closed-Box Penetration Testing)
- Simulation of an external attacker
- Perimeter security assessment
- Identification of externally accessible vulnerabilities
Gray-Box Penetration Testing
- Partial access to systems
- Insider attack simulation
- In-depth analysis of selected components
White-Box (Open-Box Penetration Testing)
- Full access to all systems
- Detailed code and configuration analysis
- Identification of hidden vulnerabilities
Red Teaming (Attack Emulation)
A Red Team Assessment is similar to a penetration test in many ways but is more targeted. The goal of the Red Team Assessment is NOT to find as many vulnerabilities as possible but to test the organization's detection and response capabilities. The red team will try to get in and access sensitive information in any way possible, as quietly as possible.
The Red Team Assessment emulates a malicious actor targeting attacks and looking to avoid detection, similar to an Advanced Persistent Threat (APT). Red Team Assessments are also normally longer than penetration tests. A Penetration Test often takes place over 1-2 weeks, whereas a Red Team Assessment could take 3-4 weeks or longer and often involves multiple people.
Estimation
Conducting an audit requires collaboration and close contact with technical specialists from the client's team. Often, their free time is limited, which makes it difficult to complete the audit as quickly as possible.
For this reason, the exact time for completing the project is discussed separately with each client.
Web App Audit
Black-Box Penetration Testing
- 2-4 weeks
- 1-2 dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change issues for developers
130 hours
Grey-Box Penetration Testing
‣ Simulation of a real cyber attack.
‣ Some access to internal information
‣ More effective than black-box
- 2-4 weeks
- 1-2 dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change tasks for developers
3. Recommendations for platform development to optimize cost, scalability, and security in the future
120 hours
White-Box Penetration Testing
‣ Security audit with complete information about the system.
‣ More comprehensive (Less Realistic)
-
2-4 weeks
-
1-2 dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change tasks for developers
3. Recommendations for platform development to optimize cost, scalability, and security in the future
170 hours
Mobile App Audit
Black-Box Penetration Testing
- 2-4 weeks
- 1-2 dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change issues for developers
160 hours
Grey-Box Penetration Testing
‣ Simulation of a real cyber attack.
‣ Some access to internal information
‣ More effective than black-box
- 2-4 weeks
- 1-2 dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change tasks for developers
3. Recommendations for platform development to optimize cost, scalability, and security in the future
150 hours
White-Box Penetration Testing
‣ Security audit with complete information about the system.
‣ More comprehensive (Less Realistic)
-
3-5 weeks
-
Two dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change tasks for developers
3. Recommendations for platform development to optimize cost, scalability, and security in the future
200 hours
Infrastructure & Networks Audit
Black-Box Penetration Testing
- 1-2 weeks
- one dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change issues for developers
70 hours
Grey-Box Penetration Testing
‣ Simulation of a real cyber attack.
‣ Some access to internal information
‣ More effective than black-box
- 1-2 weeks
- one dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change tasks for developers
3. Recommendations for platform development to optimize cost, scalability, and security in the future
70 hours
White-Box Penetration Testing
‣ Security audit with complete information about the system.
‣ More comprehensive (Less Realistic)
-
1-2 weeks
-
one dedicated engineer
Result:
1. Report with detected system vulnerabilities
2. List of change tasks for developers
3. Recommendations for platform development to optimize cost, scalability, and security in the future
80 hours
Complex Audit
What's included:
‣ Web App Audit
‣ Mobile App Audit
‣ Infrastructure (internal/external)
Standards: OWASP WSTG, OWASP MASVS, NIST
- 4-6 weeks *
- 2-3 security engineer
Result:
1. Report with detected system vulnerabilities
2. List of change tasks for developers
3. Recommendations for platform development to optimize cost, scalability, and security in the future
250 hours *
* The number of hours may be increased depending on the number of supplementary services and endpoints
CONTACT US
Basic security setup for startups
You can follow this flow assuming you're starting a product from scratch without existing VNETs, IDPs, or parent companies' networks. However, if you have any of these things, you must adjust the flow accordingly.