Security in Integrated Circuit 
Company 
Blog
Contact us
eShard
/
Pentesting Backend And Webapp

Pentesting - Backend and WebApp

Backend systems are the main targets to adversaries/attackers, as the reward aka “jackpot” is available there. Backend systems typically host web applications or act as central hubs in a distributed mobile or IoT ecosystem to which the devices are connected via an API. Penetration testing validates the resistance of the systems and applications against attackers, and aims to uncover vulnerabilities in the target systems before adversaries/attackers are able to exploit them..

Penetration testing is an art

A security expert performing the PT applies real-life attacks, as if they were performed by an adversary/attacker. The penetration tester identifies and combines seemingly inconspicuous vulnerabilities to develop exploitable paths into the target system and to the core assets like personal data, banking account data, health data etc. Penetration testing requires state-of-the-art knowledge, experiences, imagination, creativity and intuition, like any other arts. Do you know an artist who thinks like an attacker? This is our profession and what customers benefit from.

Our Approach

eShard believes in penetration testing as a powerful tool for effective risk management. To analyse a system in depth and determine potential risks, eShard performs penetration tests in a team. Depending on the required skill set, the pentest team may include recognized experts in their subject matter, e.g. in crypto or reverse engineering. Our pentest team members dedicate a significant amount of their working time to research, which enables us to provide state-of-the-art services.

Penetration testing is a service

The pentest with eShard does not stop with the report and support during remediation. We additionally provide insights into potential weaknesses in the development & deployment processes to enhance organizational security maturity. Pentesting projects are delivered using PMI PMBOK methodology

What are the penetration test must-haves?

Key to the success of any pentest is the well-defined scope. Bad scoping may reduce the value of the penetration test as real-world attackers won’t care about the scope (and time). Or, it may result in avoidable extra time and costs.

Therefore, eShard makes sure that the scope is well defined and agreed before the actual project starts and constantly reviewed during the project, and in line with PMI PMBOK project management methodology.

API penetration test

Mobile applications and IoT devices connect to backend systems via REST, SOAP or other API endpoints. Assessing the endpoint resilience requires e.g.

  • Automated & Manual Testing of the API (e.g. Fuzzing)
  • Testing the Authentication Process
  • Testing the input validation
  • Testing for involuntarily data exposure
  • Identification of logic flaws especially in Multi-Step Processes

Web application PT

Web applications are used everywhere and are the common interface to end users and customers. The WAPT addresses both parts of a web application: the server-side as well as the client-side. Known technologies for server-side include Java, PHP, Python, Ruby, Rust (?), and JavaScript for client-side web applications. Where applicable, eShard considers WebViews as a client technology which is frequently used in Mobile Applications.

Platform/OS & Network

Applications do not run in isolation but require underlying operating systems, networks and management components that form the glue. This includes eg.

  • Linux, Windows
  • Active Directory, Kerberos
  • Other management components like Logging, Monitoring and virtualization technology
  • Network components like Firewalls, Routers and Switches Since these systems eventually pave the way for an attacker, a PT needs to consider the threats and vulnerabilities at this layer, too.

Interested?

Contact us
© eShard 2021. All rights reserved
Privacy policy | Legal Notice
Bâtiment GIENAH
11 avenue de Canteranne
33600 PESSAC
France
7 rue Gaston de Flotte
13012 MARSEILLE
France
#04-01 Paya Lebar Quarter
1 Paya Lebar Link
SINGAPORE 408533
eShard GmbH
Lebacher Str. 4
66113 Saarbrücken
Germany