Penetration Testing Services
The Penetration Testing services provided by Insomnia Security cover a wide range of both internally and externally exposed environments. Conducting penetration testing on a regular basis helps ensure the security of the target environment from current threats, and helps to meet regulatory requirements such as PCI DSS.
While modern frameworks implement a number of ‘secure by default’ settings, application layer vulnerabilities and configuration flaws are continuously being discovered or expanded on. Testing performed by our experienced application security team adheres to our internally developed methodologies, which are regularly updated and reviewed to always ensure coverage of new vulnerabilities and attack methods.
Web Application and API Security Testing
The hosting server, application and API layer are tested for vulnerabilities including configuration, transport layer, and application-layer specific flaws.
Initial reconnaissance is performed using automated means to ensure comprehensive coverage and enumeration of known framework or server flaws. Following the initial enumeration stage, our experienced application security team members conduct manual penetration testing following a methodology that utilises the OWASP standards as a base minimum. This ensures coverage of application specific logic flaws as well as all known web application security bug classes, such as authentication and authorisation flaws; injection issues such as SQL injection, XML entity attacks, and cross site scripting; cross-user and cross-tenant data access issues; role based access control flaws; and attempts to subvert business rules and logic.
Network Vulnerability Assessment and Segmentation Testing
This testing focusses on the security of network connected devices within an internal or externally exposed network.
Vulnerability Assessment commences with a network port scan followed by enumeration of all available information from accessible services within the target network. This information is automatically mapped against a signature database of known vulnerabilities, combined with manual validation of identified issues. The Insomnia Security penetration testing team then review the gathered information to identify potential entry points and attack vectors for further focused in-depth manual penetration testing.
Network Segmentation Testing focusses on ensuring controls are in place to restrict access between network zones, on both wired and wireless networks. Testing of these controls includes network port scans as well as focused attacks on systems that have an increased level of network access.
Thick Client and Desktop Application Security Testing
Testing of thick client applications requires a different approach than traditional web-based applications, and our testing team have experience in reviewing client applications on Windows, Linux, and Mac systems.
While testing includes the network level packet capture to validate transport layer security and communications with any supporting services or APIs, testing also includes reviewing the application install itself. Binary analysis and reverse engineering techniques are used to dissect the client application and identify potential areas of security weaknesses. These may include the exposure of undocumented commands, the use of insecure API calls, or file structure insecurities that can be misused to elevate privileges.