Chip & System Security Testing 
Looking ahead to future of Post-Quantum Cryptography, we have partnered with PQShield to strengthen our hardware security solutions.
SOLUTIONS

  • > Side Channel Analysis

    Ready-to-use side channel tools to assess cryptography algorithms.

  • > Fault Injection: Laser, EM & Glitching

    Make sure your chip withstands different techniques of physical fault injections.

  • > Firmware Security Analysis

    Qualify embedded code binaries without physical devices and benches.

  • > Security Failure Analysis

    Photoemission analysis to explore internal information in a chip.

  • > Vulnerability Research

    Dynamic analyses at a system level for investigating potential vulnerabilities.

  • > esDynamic for EDU SCA and FI

    A learning center for academics to teach and perform side-channel analysis and fault injection

TECHNOLOGIES

  • > Data Science Platform

    esDynamic is a complete data focused platform to leverage the know-how of your team for complex analyses.

  • > esFirmware Engine

    Assess the security of the firmware of IoT devices against logical and physical attacks.

  • > esReven Engine

    Record and replay vulnerability researches within reverse engineering processes and tools.

PROFESSIONAL SERVICES

  • > Cybersecurity Training

    Grow your expertise with training modules driven by a coach.

  • > Hardware Evaluation Lab

    High-end laboratory capabilities specialized in hardware security evaluations.

Mobile & Backend Security Testing 
Standard Mobile Payment Security PCI MPoC
Prepare for the future of mobile payments with PCI MPoC (Mobile Payments on Common-of-the-shelf devices).
EXPERTISE

  • > Mobile App Security

    Know the threats and risks of your Mobile App.

  • > DevSecOps

    Integrate the security protections verification in your CI/CD pipeline.

  • > PCI MPoC

    Prepare your product to meet this new mobile payment standard.

SOLUTIONS

  • > Mobile App Security Testing (MAST)

    esChecker SaaS: automating the security testing of your mobile app binary.

PROFESSIONAL SERVICES

  • > Mobile App Penetration Testing

    Testing the resiliency of your Mobile App, SDK or RASP tool.

  • > Backend Penetration Testing

    Testing the resiliency of your Web App, API or Backend Systems.

  • > Coaching for Mobile App Developers

    Providing insights into the mobile app threats and how attackers work by a learning-by-doing approach.

  • Go to our German website

Our Company 
Passionate about security and wanting to work in an exciting and innovative environment? Full time and internship opportunities starting 2023.
OUR COMPANY

  • > Events

CAREERS

  • > Meet our experts

  • > Open positions

    Join our team!

FOLLOW US
Blog
Contact us
eShard
/
Pentesting Backend And Webapp

Backend and WebApp Pentesting

With a penetration test (in short: pentest), we stress your web app, API and backend systems by simulating real-world attackers and shed light into the resiliency of your backend against adversaries. The results of a pentest provide you with information for your risk management practice and make your risks explicit. Therefore, performing pentesting is not an option, it is a must and a common practice at digitised companies.
Audit and Pentesting Mobile App Security

Penetration testing as a service

Are you looking for a standard pentest or a pentest of a complex system? Depending on the testing target, the pentest team is composed of various cross-functional experts, e.g. for analysis of proprietary cryptography protocols, hardware security or protocol stacks (e.g. Bluetooth, CAN bus). Pentesting requires teamwork and we assign a team of pentesters according to the mission’s need.

Our experts have a track record in security testing and reverse engineering of e.g. banking web applications and APIs, mobile apps, payment applications, IoT devices, healthcare devices, smartcards, POIs, ICs/SOCs and cryptography.

Contact our experts

How do we perform pentesting?

Before starting, both parties agree upon your objectives and expectations, the assets to be protected, the scope of the test, our approach (black-, grey- or white-box) and the general project setup.

We will report vulnerabilities identified using the Common Vulnerability Scoring System (CVSS) and assign a score/rating (= criticality) per vulnerability.

Irrespective of tools used by the pentester, pentesting requires state-of-the-art knowledge, expertise, experiences, imagination, creativity and intuition. Like in any other arts. Pentesting is our passion and profession.

Backend systems pentesting

Applications do not run on their own and require a supporting infrastructure such as operating systems, networks/network components and management components that form the glue. This includes e.g.:

  • Linux, Windows systems
  • AWS Cloud environment
  • Active Directory, Kerberos servers
  • Management components like Logging, Monitoring and Virtualization technologies
  • Active network components such as firewalls, routers and switches Since these systems may be vulnerable themselves and become the source or part of an attack, they also need to be considered as a potential risk.

Web app pentesting

A web app penetration test addresses both end points of a web application: the server-side as well as the client-side. The basic security assumption in this client-server model is that the server must not rely on any input provided by the client-side and protects itself. This has a significant impact on the protections required and the depth of testing.

In scope of the web app pentest are usually, among others, the following functionalities:

  • User access control mechanisms (authentication, session management access control)
  • Verification of user provided input and sanitization mechanisms
  • Defence mechanism (errors, logging, alerting, response)
  • Administration of the web app
  • Logic flaws in control flow
  • Server configurations
  • Outdated libraries and other software components

API pentesting

Web APIs are the key enabler for Web 2.0 and meshes of web applications. Browsers and mobile and web applications connect to backend systems via REST, SOAP, RPC and WebSockets. Assessing the endpoint resilience requires:

  • Automated & manual testing of the API (e.g. fuzzing)
  • Testing the authentication process
  • Testing the input validation
  • Testing for involuntary data exposure
  • Identification of logic flaws, especially in multi-step processes

Complementary services

Depending on the project objectives, a penetration test may include additional, specialised activities, such as:

  • Performance of a threat analysis
  • Performance of secure code reviews
  • Analysis of crypto protocols
  • Fuzzing external interfaces and protocols
  • Reverse engineering binaries and executables
  • Development of a proof of concept or an exploit for demonstration purposes

Interested?

Contact us

Blog Articles

Mobile App & Software

RASP Tools: silver bullets for mobile app protection?

8 min read
Edit by Thilo Pannen • Dec 7, 2022
CopyRights eShard 2023.
All rights reserved
Privacy policy | Legal Notice
SECURITY TESTING SOLUTIONS
Side Channel AnalysisLaser & EM Fault InjectionFirmware Security AnalysisSecurity Failure AnalysisVulnerability ResearchMAST: Mobile Application Security Testing
TECHNOLOGIES
Data Science PlatformesFirmware EngineesReven Engine
PROFESSIONAL SERVICES
Cybersecurity TrainingHardware Evaluation LabPenetration Testing for Backend and WebAppPenetration Testing for Mobile Applications
COMPANY
About usJoin our team!EventsBlog