Organizations that rely on enterprise web applications to support critical business functions are exposed to an ever-increasing number of Internet-borne threats. NetSPI's comprehensive web application penetration tests identify security vulnerabilities by performing basic thread modeling, automated testing, and manual testing. Automated testing leverages multiple market leading tool sets, and manual testing is based on the OWASP web application penetration testing guide. As a result, NetSPI is able to effectively test for emerging threats, business logic issues, and OWASP Top 10 web application vulnerabilities. Testing also includes a penetration test of server components to ensure they cannot be leveraged to compromise the application.
Web services provide critical business capabilities to both internal and third party applications. Over the past 10 years they have been adopted as a replacement for more traditional RPC based services. However, as their popularity increases, so do the threats. Web services suffer from common OWASP Top 10 vulnerabilities, but can also be vulnerable to attacks specific to web service technologies. NetSPI has developed a methodology that offers comprehensive coverage of both categories of attack through automated and manual testing of REST and SOAP based web services.
Thick applications are commonly underestimated as an attack vector, and many of them can present just as much risk as a web application. They are subject to many unique threats because of their trusted position on the system and that they can often be used to escalate privileges on the network. NetSPI's approach takes that into account by testing security controls in five core areas - file system, registry, memory, network communications, and graphical user interface (GUI). Throughout the Thick Application Penetration Test, NetSPI will leverage emerging threats and common vulnerabilities to gain unauthorized access to data and functionality. By reviewing all of these attack vectors, NetSPI is able to provide a comprehensive understanding of the security posture of the thick client application.
With the increased use of mobile devices and applications in corporate environments comes increased exposure to threats. Mobile applications are commonly used to store and transmit sensitive data across corporate networks. As a result, the direct impact of a compromise becomes even greater, because mobile devices can be leveraged to gain access to data and other internal network resources. Using manual methods, NetSPI's approach to Mobile Application Penetration Testing includes testing security controls in four core areas - file system, memory, network communications, and graphical user interface (GUI). The testing can be conducted on a live device or via emulator software. This allows the testing to be flexible enough to accommodate specific project constraints and requirements. Currently, NetSPI can perform Mobile Application Penetration Tests of IOS, Android, Blackberry OS, and Window 7 Phone based applications.