Offensive Security, takes the phrase "The best defense is a good offense" as a premise. This type of cybersecurity is based on implementing security measures, through hacking strategies that identify potential risks prior to a real attack.
In other words, offensive security uses the tools, mechanisms, and technologies that a cyber-criminal would use in order to identify threats before any possible attempts of an attack and have a plan on how to respond immediately and keep the situation under control.
Our Assessment team tests the security of your company by simulating a real attack from different areas. There are three types of security assessments depending on the size of the project.
”True hackers follow a certain set of ethical rules, which prevent them from profiting or causing harm in their activities- Kevin Mitnick
This type of assessment aims to evaluate the weaknesses that may arise in a given system, application or software that could affect its integrity during its useful life. This service determines the security level of the company and how these vulnerabilities can affect the stability of the business.
According to the environment
The assessment may be vary depending on the environment where the tests are conducted.
The internal vulnerability assessment is done through the client's internal network, its own intranet, in the client's offices, or through a VPN.
The external vulnerability assessment is done from outside the network, over the Internet.
Pentesting is focused on carrying out penetration tests, attacking information systems or the organization itself.
The main aim of these tests is to discover any type of vulnerability that could affect the environment and provide the basis for preventing such attacks.
In order to carry out this type of assessment, we use methodologies such as OWASP, OWASP Mobile, OWISAM, OpenSAMM, OSSTMM, OSINT, among others. In addition, we rely on the CVSS framework which establishes the parameters of the characteristics, the impact, and the complexity of any vulnerabilities found.
ACCORDING TO THE INFORMATION
The assessor knows information about the infrastructure, application or systems to be tested, a user with limited permissions is available and, in some cases, would have access to the source code. This is done at the client’s offices or through a VPN provided by the client.
E.g.: A disloyal employee who wants to damage the company’s reputation.
ACCORDING TO THE ENVIRONMENT
Pentesting, as well as the vulnerability assessment, varies depending on the environment where the test is performed
Ethical Hacking / Red Team
When we talk about "Ethical Hacking" we refer to pentesting. Pentesting covers absolutely EVERYTHING, in other words, there is no specific target, everything is explored so there is no limit beyond the one agreed with the client to carry out the tests where certain types of tests can be excluded.
In practices like this, we simulate the behavior of an actual attack undertaken by a cyber-criminal group whose aim is to jeopardize the entire organization using typical methods organized by cyber-criminal teams.
In terms of offensive security, these types of tests are the most advanced. By using little-known attack vectors or even designing new ones in order to test the protection of organizations of the highest level.
The duration of these practices usually takes between a few weeks to several months which is agreed upon the scope of the project. In short, ethical hacking provides the greatest value for the client when it comes to technical security assessments, with the aim of taking control of the organization regardless of the concept and even remaining in the network until the assignment has been completed.
ETHICAL HACKING / RED TEAM
SAST & DAST
Static application security testing is a set of technologies focused on the analysis of source code of the application and the binaries of the coding and design conditions that indicate the security vulnerabilities. SAST solutions scans an application from the source code before the code is compiled.
Under this service, the client provides us with the source code to be tested and we perform both manual (reviewing the code, line by line manually) and automated testing.
Through the use of specialized software in static code analysis we detect vulnerabilities in the source code provided. Once completed, a report to the client is delivered with the flaws found in the code and the corresponding suggestions to improve them.
As an additional benefit, our development and quality team will examine the quality and reliability of the source code provided, giving the improvements required.