PENETRATION TESTING SERVICES

A penetration test is an authorised attempt to hack and gain access to an organisation's data via its Web application. It is conducted to identify vulnerabilities so that they can be rectified before any potential cyber-attack is made.

Application security assessment combines manual and automated testing to perform a comprehensive dynamic security assessment of the application. Manual testing attempts to circumvent business flow, elevated access to authorised users, vulnerabilities in internal application web pages, and eliminate false positives generated during automated testing.

Types of Web Application Penetration Tests offered by TÜV SÜD South Asia

Deliverables: Findings and recommendations report that includes a brief description of the activities performed during the security review, a description of the vulnerabilities identified, the potential impact of the vulnerabilities, and risk rating associated with the vulnerabilities. Recommendations to rectify the identified vulnerabilities will be provided as well.

Certified Security Experts: Our cybersecurity experts are qualified by CEH, ECSA, OSCP, CISA, CISSP, and more.

Communication & Collaboration: After analysing the code, our specialists will share recommendations on how to address them. Our experts will communicate with you on the necessary implementations.

Remediation Testing: Our experts will provide you improvised answers for your slip-ups and guarantee your association's security. We will support you in fixing all the vulnerabilities found.

Penetration testing for mobile applications is performed to analyse mobile apps' security vulnerabilities to protect against cyber-attacks. The Apple App Store™ and Google Play™ host more than 6 million mobile apps combined. Organisations need proven mobile security testing across all app components. Successful mobile app pen testing begins with TÜV SÜD's decades of skills, exemplary customer service, flexible scheduling, and lightning-fast turnaround time. These critical elements facilitate a threat-based approach, thorough testing with multiple analysis types, and support to remediate and validate any issues discovered.

Experts carry out detailed reviews of the security of in-scope applications by performing a reverse engineering of the application followed by performing application penetration testing from the perspective of an unauthenticated user as well as a legitimate user of the application at various privilege levels aimed at bypassing inter-user access control restrictions and/or gaining privileged access by exploiting the vulnerabilities in the application.

Remediation Activity: Verifying threat isolation and successful remediation of vulnerabilities is critical to success. Through a targeted retest, TÜV SÜD’s security analysts confirm proper remediation for confidence that the mobile app is safe for production or external use.

When is a Pen Test needed?
Several factors make penetration tests necessary for mobile apps. One critical factor is compliance requirements. A penetration test is also required for certain features, functionalities, or authentication measures to ensure the safety of customer data, PII, and company IP.

TÜV SÜD’s solutions follow industry frameworks, mobile app security standards and compliance standards with mobile apps. These include OWASP Mobile Application Security Verification Standard (MASVS). Encompassing all possible pen test options ensures the most successful assessment plus operationalises a repeatable mobile penetration testing methodology. This methodology includes the OWASP Mobile App Security Checklist to ensure higher quality and fewer malicious exploits.

API security testing involves the testing of the endpoints of an Application Program Interface (API) for reliability and security to ensure that it complies with an organisation's best practices.

How does API security testing work?

API security testing helps organisations to ensure that they meet basic security requirements, including the conditions of user access, encryption, and authentication concerns. API scanning aims to craft inputs to coax bugs and undefined behaviour out of an API. This is done to mimick the actions and attack vectors of potential hackers.

API security testing starts with defining the API to be tested and sending the request and response of the API to the tester. This information is used by the API security tests to construct fuzzed input tailored to the API's expected input.

At the end of an API security testing, a report detailing the vulnerabilities or bugs found while fuzzing the API is produced. The report could include findings such as SQL and OS command injections, path traversal issues, authorisation / authentication bypasses, and OWASP Top 10 API vulnerabilities such as broken authentication, security misconfiguration, and data exposure.

During this engagement, experts assist in identifying the security gaps associated with the APIs in digital channels under scope. Our high-level project approach consists of five phases, as depicted below:

Phase 3: Security Assessment for API

This phase involves a detailed security assessment of the APIs in the scope. TÜV SÜD experts will identify key security gaps in the APIs integrations with the web and mobile applications.

This will involve black box and grey box testing methodologies of the digital channels API usages, its messages/ payloads security, and the various integrations.

The primary purpose of this engagement is to identify the security gaps in API implementation, configuration and various integrations.

Types of API Assessment

Why is API security testing important?

APIs are essential components of many applications, they provide developers with powerful interfaces to the services offered by an organisation. Ensuring that APIs conform to published specifications and are resilient to harmful and potentially malicious input is critical to an organisation's overall cybersecurity posture.

Traditional Dynamic Application Security Testing (DAST) scanners are unable to completely cover APIs, they are only able to cover a small portion of them. If an organisation's front end does not interact with the endpoints of API, traditional DAST scanners will be unable to capture them. Therefore, it is crucial to adopt a modern, dynamic API security testing strategy that could target issues in all of an API's endpoints.

Secure code review is the process of checking an application’s source code to identify and eliminate vulnerabilities that may have been inadvertently placed there during development. It may be done manually with a real person reviewing the code line by line or with automated secure code review tools, which scan the code and report flaws.

Both methods have pros and cons. Manual reviews are time-consuming and error-prone and require domain expertise to be truly effective. Automated secure code review tools are faster, less error-prone, and expensive. In addition, some tools only find certain types of flaws, while others produce "false positives," which require time-consuming human intervention. This is why we recommend using a combination of the two.

Our service offering consists of a Manual and Automated approach that accurately analyses the security-based vulnerabilities within an application's custom code.

TÜV SÜD’s Security code reviews focus on these areas:

• Authentication and authorization
• Data validation
• Error handling
• Session management
• Security configuration
• Logging
• Encryption

Tools used in Source Code Review:

• Sonarqube
• Visual Code Grepper (VCG)
• Insider
• Semgrep

Standards:

• OWASP Top 10
• NIST
• SANS Top 25

TÜV SÜD's network pen testing simulates a real-life attack, providing critical information about potential weaknesses hackers could use as entry points to gain access to your network(s). TÜV SÜD's security specialists use various methods to attempt to compromise your networks.

The main benefit of implementing network pen testing is that it allows an organisation to gain valuable insights into its overall security posture and allows it to take informed actions to resolve problems before a malicious actor can exploit its systems.

TÜV SÜD’s network pen testing provides the following benefits:

• Analysis and an understanding of security posture and controls.
• Prevent breaches before they can happen.
• Learn what to do in the situation of an actual attack by knowing how a system responds to hacking activities.
• Spend less time and money fixing damage caused by preventable attacks.

Cloud penetration testing empowers organisations to bolster their cloud environments' security, prevent avoidable systems breaches, and stay compliant with the industry regulations. This is done through the identification of vulnerabilities, risks, and gaps in a security program. It provides actionable remediation advice, enabling security teams to prioritise activities and attend to security issues in alignment with their most significant business risks.

Specifically, cloud pen testing:

• Helps improve an organisation's overall visibility of its business risk
• Helps to identify vulnerabilities.
• Demonstrates the potential impacts of identified vulnerabilities if exploited.
• Provides clear remediation advice to address vulnerabilities and mitigate their associated risks.

How can TÜV SÜD help?

To become more agile, reduce time to market, and lower costs, businesses are moving their application workloads to the cloud. Whether developing a cloud-native application or migrating an existing one to the cloud, TÜV SÜD can help you increase innovation, reliability, and efficiency without sacrificing security.

TÜV SÜD’s on-demand penetration testing enables security teams to address exploratory risk analysis and business logic testing, helping you systematically find and eliminate business-critical vulnerabilities.

Red Teaming is an adversary simulation that provides a safe and controlled way for security operations teams to uncover vulnerabilities, test response capabilities, and identify areas of improvement. Although penetration tests can identify loopholes in an organisation's security posture, red teaming is a more comprehensive approach.

Through our Red Team Assessment services, we aim to provide our clients with the following: 

• A real-world perspective of threat actors
• A holistic view of security controls
• Evaluate security incident response capabilities

Red Team Assessment includes:

High-Level Approach:

• Red Team Assessment requires a very strong reconnaissance. 
• Much information is gathered about the target organisation through open-source intelligence.
• The types of cyberattacks the Red Team will launch and how they will be executed are mapped out.  
• Threat modelling and vulnerability analysis help assess the security risks of business functions.
• Cyberattacks are launched once the plan is mapped to the information gathered.
• Our reports include a summary and details of simulations performed and the attack surface overview.
• Additionally, we provide an Executive report that gives a synopsis of the activity & recommends strategy to Management.

Configuration management plays a major role in the IT infrastructure through configuration and change management processes to identify, control, record, track, report, and verify configuration changes and maintain systems' integrity and functions afterwards.

Configuration Review, on the other hand, means checking on these configurations to see whether their optimal usage is taken and if there are any misconfigurations.

Most of the common systems should undergo configuration reviews, including:

• Network Devices
• Firewall
• Web servers
• Database servers
• Operating Systems
• Internal Systems
• Wireless Networks

Configuration Review services provided by TÜV SÜD:

Our configuration review services will ensure your secure configurations align with security best practices and standards. We help you review your network architecture, device configurations, and rule sets for most security-optimal settings. We identify your configurations by deep driving to them and provide a report of vulnerabilities found and actions or recommendations that should be taken.

Our Configuration Reviews will cover the following areas:

• Password policy
• Network ports
• Data storage
• Security Systems
• Logging configurations and auditing policies
• Security hardening
• Cryptographic configurations
• Access controls
• Other product – Specific configuration options

TÜV SÜD follows a step-by-step approach to conducting configuration reviews:

1. Identifying: The IT infrastructure of the organisation will be identified. The current configuration in the system will be understood.

2. Reviewing: The configuration setting will be checked against the key areas and others. The weaknesses will be identified and rated.
3. Reporting: The issues and the recommendations will be reported.

Tools:

• Nessus
• Nipper

Standards: CIS Benchmark

TÜV SÜD South Asia understands the complexity of IoT and connected systems. We will assess the highest-risk systems and communications so you can focus on the critical entry points. We will work with your team to develop comprehensive threat models of your system that can evolve with your end-to-end product lifecycle, support you in identifying and mitigating the most critical issues, and provide a document of your product's security posture.

Our IoT Services at a Glance

• In-depth assessment: TÜV SÜD can tailor a unique program to suit your organisation's needs. We can provide penetration tests regularly covering various areas with different requirements to ensure the overall security of your business.
• Relevant certifications: The improved IT infrastructure from the penetration test can work with other industry standards. TÜV SÜD is a one-stop provider for your certification needs and services, including ISO 27000, PCI DSS, and SOC 2 (Type 1 & Type 2).

IoT Penetration Testing

Our penetration and system analysis testing solutions go beyond fundamental analysis to consider the whole ecosystem of IoT technology, considering every segment and how each impacts the overall security. We can test IoT mobile applications, communication and protocols, cloud APIs, and embedded hardware and firmware.

• Hardware testing: TÜV SÜD will examine the device's physical security and internal architecture. This includes internal components to understand the breadth and depth of its physical attack surface. This service may comprise component indication, firmware extraction, test points identification, and reconfiguration of the device's hardware to bypass authentication, intercept traffic, and inject commands which pose significant risks to your organisation and clients.
• Protocol testing: TÜV SÜD will test communications to and from the device. We will test the cryptographic security of encrypted transmissions, the ability to capture and modify data transmission, and the fuzzing of the communication protocols. The test will cover an assessment of the security of communication protocols where we will determine the risk to your organisation and clients.
• Firmware Analysis: To identify backdoor accounts, injection flaws, buffer overflows, format strings, and other vulnerabilities, TÜV SÜD will extract and examine the firmware content. Also, we will assess the upgrade process of the device's firmware for vulnerabilities and conduct a secure boot review process, ensuring that public key encryption and upgrade functionality are secure.

IoT Security Design and Advisory

Often, designing hardware is the first step to starting a significant project, and it can determine your limitations and weaknesses. Our service provides your engineers one-on-one time with our security advisors during the design phase. We offer advice from the ground up so that hardware issues do not become the Achilles' heel of your software security architecture.

• TÜV SÜD’s state-of-the-art penetration testing laboratory, located at Mumbai, India is fully-equipped with biometric access and dedicated connectivity to ensure 100% client data privacy
•  Our cyber security team comprises of certified penetration testers, capable of carrying out advanced simulations to determine security weaknesses
• As a CERT-In empaneled regulatory auditor our cybersecurity team, we deploy standardised global delivery processes to provide penetration testing services across the globe
• The report is presented in a standard TÜV SÜD reporting format with details of the testing performed, vulnerabilities unearthed and recommended fixes. By
  addressing these security flaws found through VAPT, you can then be assured of the best possible protection against attacks from criminal hackers