Virtual application penetration testing

NetSPI tests your virtual application where it is hosted, internally or in a virtualized environment, evaluating server-side controls, data communication paths, and potential client-related security issues. 

 

Our offerings for virtual application penetration testing and breakout assessments

Static analysis

During the static analysis phase of testing, NetSPI reviews the follow areas: 

  • Service account roles and permissions (e.g. client, application server, database server) 
  • Application file, folder, and registry permissions 
  • Application service, provider, WMI subscription, task, and other permissions 
  • Assembly compilation security flags 
  • Protection of data in transit 
  • Hardcoded sensitive data and authentication tokens (e.g. passwords, private keys) 
  • Hardcoded encryption material (e.g. keys, IVs) 
  • Use of insecure encryption and hashing algorithms 
  • Database user roles and permissions 
  • Database and server configurations

Dynamic analysis

During the dynamic analysis phase of testing, NetSPI tests and reviews the following areas: 

  • Authentication and authorization controls enforced on the client and server 
  • Application user roles and permissions 
  • Application workflow logic between GUI elements 
  • Web services utilized by the application
  • File system changes including file and folder creation, deletion, and modification 
  • Registry changes including creation, deletion, and modification of keys and values 
  • Application objects and information stored in memory during runtime 
  • Use of insecure encryption and hashing algorithms 
  • Network protocols utilized by the application (e.g. SMB, FTP, TFTP) 
  • Database connections

Breakout testing

During breakout testing, NetSPI identifies configuration and application functionality that may allow a remote attacker to access the operating system through the published application:

  • Virtualization platform vulnerabilities and misconfigurations
  • Application-specific functionality
  • Operating system configurations and security controls
  • Ingress and egress configurations and security controls

*Note: If you are only interested in breakout testing, this can be completed as a standalone project.

You deserve The NetSPI Advantage

Security experts

  • 250+ pentesters
  • Employed, not outsourced
  • Domain expertise

Intelligent process

  • Programmatic approach
  • Strategic guidance
  • Delivery management team

Advanced technology

  • Consistent quality
  • Deep visibility
  • Transparent results