Packetninjas offers three primary offensive based security solutions.

1. Penetration Testing (External & Internal)
2. Application Security Testing (Web Application, Custom Application)
3. Risk Assessments & Configuration Review

Why is application security and penetration testing important to you?

Vulnerabilities an come in many forms; Implementation & Configuration bugs, Design bugs, Logic bugs etc.

Many times applications and an infrastructure is created , designed and implemented with functionality in mind and not security. With the migration of virtually every business process into automated computer applications, the security of proprietary data and the need for application availability and security are critical to a business survivability. Hackers are now driven not by sole curiosity , but through financial motive. Never before has there been a greater need for external perspectives on application security and infrastructure security when the economy of hacking can negatively affect your bottom line.

Figure 1: The Economy of a Vulnerability

How do you perform your assessments?
How assessments are performed is generally methodical in nature , but differs slightly for the discipline desired.

Source code review will differ greatly from reverse engineering of binary code, but core concepts will be enforced between both disciplines. Network penetration testing and Web Application testing differ on which bugs one may look for and the length of a test, but in general most security holes are found in a method based approach.

Within each security test a generic process emerges surrounding most of the following elements:

1. Discovery and identification of targets and vulnerabilities
2. Service and Protocol Identification
3. Classification of targets, assets and vulnerabilities
4. Exploitation of vulnerabilities
5. Reporting of Findings

The primary offensive disciplines Packetninjas LLC offer include:

• Vendor vulnerability management and 3rd Party Application & Penetration Assessments.
• Penetration Testing (External, Internal)
• Application Testing
• Web Application Testing

3rd Party Vendor Vulnerability Management
Are you a large corporation where your data is housed with third party vendors?
Do these vendors simply hand you a SAS70, saying they have been audited?
Within the last 5 years 98% of every company we have tested has resulted in compromise, most all of these companies have had a SAS70 or an audit by one of the top 5 accounting firms or have have a vulnerability scan on their external perimeter stating they are “safe”. Through application tests or penetration testing we have found vulnerabilities and exploited them. Contact us about a partnership where we can test your vendor’s security as a neutral 3rd party!

Penetration Testing
With penetration testing we discover and exploit vulnerabilities and see how far we can get into your network. An engagement can take on differing perspectives (Modem, Wireless, External, Internal, Role based, or Social engineering tests etc). We will find the vulnerabilities in your environment, exploit them, and show you how to remediate these problems.

Application Testing
Are you thinking of implementing a 3rd party application into your environment and need to know the security posture of that application?
Do you know if your developers have taken any security training?
Do you know if your applications are exposed to security holes exploitable by an inside attacker?
Do you have a security process which compliments your development process by segmenting a specific portion of your quality assurance process? We will find how insecure functions and libraries have been used, how authentication and authorization can be broken, and outline how these vulnerabilities impact your bottom line.

Web Application Assessments
If your like the rest of the world, you rely on a web application for some business process.
Since web applications have a large array of moving parts many common vulnerabilities can crop that are exclusive to web applications.
Our assessment process for web applications covers both a manual approach as well as an automated approach to discovering vulnerabilities.

The steps we take to uncovering vulnerabilities includes a three step process. (for Blackbox Assessments)

1. Baselining Application – We start by baselining the application to understand the functionality of your application.
2. Authentication & Session Tracking – Look for vulnerabilities that would center around vulnerabilities which may exist to an attacker that do not require any form of authentication to exploit.
3. Transaction Testing – Look at all user supplied data as well as logic design, and specific implementation vulnerabilities which may exist within deep portions of the application as well as within the context of a normal authenticated user.

What we will find will include some of the following common vulnerability classes;

• Injection flaws (e.g. SQL Injection)
• Cross-site scripting (XSS) attacks
• Broken access control (e.g. malicious use of user IDs)
• Broken authentication/session management (use of account credentials and session cookies)
• Insecure configuration management
• Improper error handling
• Insecure storage and transport
• Invalidated input
• Buffer overflows
• Denial of service
• Operating System Vulnerabilities
• Web Server Vulnerabilities
• Database Vulnerabilities
• Business Logic bugs
• Authenticated privilege escalation within the web application.