Pentesting - Backend and WebApp
Penetration testing is an art
A security expert performing the PT applies real-life attacks, as if they were performed by an adversary/attacker. The penetration tester identifies and combines seemingly inconspicuous vulnerabilities to develop exploitable paths into the target system and to the core assets like personal data, banking account data, health data etc. Penetration testing requires state-of-the-art knowledge, experiences, imagination, creativity and intuition, like any other arts. Do you know an artist who thinks like an attacker? This is our profession and what customers benefit from.
Our Approach
eShard believes in penetration testing as a powerful tool for effective risk management. To analyse a system in depth and determine potential risks, eShard performs penetration tests in a team. Depending on the required skill set, the pentest team may include recognized experts in their subject matter, e.g. in crypto or reverse engineering. Our pentest team members dedicate a significant amount of their working time to research, which enables us to provide state-of-the-art services.
Penetration testing is a service
The pentest with eShard does not stop with the report and support during remediation. We additionally provide insights into potential weaknesses in the development & deployment processes to enhance organizational security maturity. Pentesting projects are delivered using PMI PMBOK methodology
What are the penetration test must-haves?
Key to the success of any pentest is the well-defined scope. Bad scoping may reduce the value of the penetration test as real-world attackers won’t care about the scope (and time). Or, it may result in avoidable extra time and costs.
Therefore, eShard makes sure that the scope is well defined and agreed before the actual project starts and constantly reviewed during the project, and in line with PMI PMBOK project management methodology.
API penetration test
Mobile applications and IoT devices connect to backend systems via REST, SOAP or other API endpoints. Assessing the endpoint resilience requires e.g.
- Automated & Manual Testing of the API (e.g. Fuzzing)
- Testing the Authentication Process
- Testing the input validation
- Testing for involuntarily data exposure
- Identification of logic flaws especially in Multi-Step Processes
Web application PT
Web applications are used everywhere and are the common interface to end users and customers. The WAPT addresses both parts of a web application: the server-side as well as the client-side. Known technologies for server-side include Java, PHP, Python, Ruby, Rust (?), and JavaScript for client-side web applications. Where applicable, eShard considers WebViews as a client technology which is frequently used in Mobile Applications.
Platform/OS & Network
Applications do not run in isolation but require underlying operating systems, networks and management components that form the glue. This includes eg.
- Linux, Windows
- Active Directory, Kerberos
- Other management components like Logging, Monitoring and virtualization technology
- Network components like Firewalls, Routers and Switches Since these systems eventually pave the way for an attacker, a PT needs to consider the threats and vulnerabilities at this layer, too.