Offense: Our Approach to Security Testing

Clients ask us to provide penetration testing as a security best practice, to meeting regulatory compliance, or to meet Board and customer expectations. While we tailor each test to our client's needs, the common denominators include:

  • Understand the business drivers for the test and how the results will be used.
  • Determine why the target system is important and if specific threat actors are of concern.
  • Develop test hypotheses, test to confirm the hypotheses, and pursue those that seem most plausible and that appear to pose the greatest risk to the target system.
  • Mimic methods used by sophisticated attackers. This requires creative, manual testing; not simply running automated tools.
  • Identify vulnerabilities and their root cause (to reduce the likelihood that the vulnerability will re-emerge).
  • Communicate the test results to technical and management audiences with equal emphasis given to positive findings.

KoreLogic's Penetration Testing Services

Test Type What We Test
Mobile Mobile applications, devices, network elements and end-to-end services for mobile carriers, third party mobile service providers, and mobile applications developed by our clients.
Cloud Cloud-hosted mission-critical applications, SaaS providers and public or private cloud infrastructure.
Web Applications Web applications or other software to find defects such disclosure of sensitive information and privilege escalation.
Internal Network devices, servers, endpoints to gauge their resistance to attack
External Public-facing systems to verify they are properly hardened for Internet-exposure.
Vendor Risk Management Testing of our clients' service providers who handle their confidential data or who access to client IT resources.
Product Security Pre-release security testing of new products to help ensure they have been properly hardened for its intended use.
Red Teaming Custom test scenarios that gauge the resistance to attacks against a client's most business-critical digital assets.
IoT Testing We test the security of IoT devices/sensors, IoT communications, IoT platforms, IoT applications/APIs/portals, and backend infrastructure including IoT-supported clouds.
Hardware, Firmware and Embedded Software Testing Assessing the security of any hardware, firmware or embedded software system involves a determination if it has been securely designed; that its security functions perform effectively; and it is resistant to physical and logical attack. This typically requires threat modeling, abuse case development and testing at the application, operating system, and network layers. KoreLogic uses a combination of testing techniques such as: hardware and software reverse engineering, network or application capture/analysis/manipulation, protocol analysis, cryptanalysis, source code examination, custom software (e.g., device driver fuzzing) written to exploit suspected vulnerabilities, etc.

To see project examples of these security tests, see Impact Stories.