Security Assessment is about finding what is wrong so everything goes right. For example, if a service has the functionality to transfer money (dollars, bitcoins, digital wealth, etc.) it’s highly likely it has Two Factor Authentication (2FA). In this case, the goal of an auditor must be to ensure there is no way to bypass 2FA and transfer money or even sign in. Possible bypass methods include bruteforce, injections, replay attacks, logical flaws; many others. Our auditors are up to the task.
We consider the following attacker's models:
External attacker from the Internet - random criminals seeking targets of opportunity.
One of your users - those familiar with systems may feel they can exploit a vulnerability.
If present, one of your social media group moderators - sometimes used as the 'long con' penentration attack.
One of your social media or Github admins - access to trusted systems can be a strong tempation.
Following is a short list of PepperSec procedures:
Emersion in your project: absorbing documentation, learning from developers and system architects about and interacting with your interfaces as both regular users and system admins.
Automatic security analysis: including web, network, mobile security scanning, source code analysis, and more to find common security flaws.
Manual security analysis and testing the holistic system to find uncommon vulnerabilities, also known as 0-day attacks.
Ranking discovered security flaws, сompiling the list of fixes and creating best practices to eliminate the identified problems.
Testing applied fixes to determine they are complete and did not inadvertantly introduce new bugs or vulnerabilities.
Creating a substantial, visually stimulating report to describe the completed job from a third party perspective.
Ready to talk? Drop us a line. We’ll be glad to answer your questions and assist you in becoming firstname.lastname@example.org