Our clients often ask about the specific tools we use during a pen-test and the rules of engagement we adhere to ensure the security and integrity of their applications. This article aims to address these concerns, providing an in-depth understanding
Tools Utilized
At Secure Ideas, we primarily leverage manual pen-testing methodologies augmented with selective automation. This 'surgical' approach ensures we perform thorough, intelligent, and contextual testing, minimizing the chance of false positives and negatives.
1. The Browser: The web browser is our primary tool for interaction with the client's application. This enables us to see what a potential attacker would encounter, providing a first-hand experience of potential vulnerabilities.
2. Interception Proxy (Burp Suite): Burp Suite, a highly efficient and reliable interception proxy tool, allows us to intercept, analyze, and manipulate traffic between the client's application and our browser. This tool is often referred to as the Swiss Army knife of manual application penetration testers.
3. Postman: When it comes to API testing, Postman is a powerful addition to our arsenal. This tool allows us to send various types of HTTP requests to the client's web services and analyze the responses. Postman can be used to test API endpoints, verify response codes, validate schema, and check response times, among other functionalities.
4. Custom Scripts: Depending on the complexity of the application and the unique requirements of the test, we may use custom scripts to automate and enhance certain aspects of our testing process. These scripts help us delve deeper into the application's behavior and potential vulnerabilities.
Rules of Engagement
While we take every measure to uncover vulnerabilities in a system, Secure Ideas maintains a stringent set of rules of engagement to ensure the ongoing integrity and availability of your applications during testing.
1. Preservation of Availability: We abstain from operations that could intentionally disrupt the availability of the application, such as launching denial-of-service (DoS) attacks or sending a large volume of concurrent requests. Our goal is to identify vulnerabilities without impacting your operations.
2. No Backdoors: As part of our ethical approach, we do not install any backdoors in your systems without first discussing them with you. We aim to minimize risk, not introduce new ones. By avoiding actions that could potentially allow unauthorized access, we maintain the highest standard of ethical hacking.
3. Prompt Reporting: Should we encounter signs of a pre-existing compromise during our testing or identify critical vulnerabilities, we cease testing and promptly report these findings to the client. Transparency and swift action are fundamental to our operations.
At Secure Ideas, our application pen-testing methodologies are designed to provide comprehensive assessments while ensuring minimal disruption to your operations. By entrusting us with your web application penetration testing, you can be assured of a robust, ethical, and thorough approach to securing your digital assets.