To ensure consistent quality throughout its application audits, immunIT has chosen to draw on the OWASP methodology during its missions. For our penetration tests or code reviews, our teams will leverage the following standards:
While the content of each penetration test can be modulated depending on the mandate, the following checks are generally common to each of our application audits:
- Configuration and deployment platform audit
- Identity management audit
- Authentication audit
- Access control audit
- Session management audit
- Input validation audit
- Error handling audit
- Cryptography audit
- Business logic audit
- Client-side code execution audit
Black/grey/white box penetration test
Our teams can conduct each of our penetration tests – be they external or internal – with varying degrees of information. To closely reflect an attacker’s perspective, no prior information will be provided to us (black box). If, however, the customer requires a more thorough audit where the reconnaissance phase may be limited, comprehensive information will be provided to our auditors (white box). It is also possible to conduct an audit under intermediate conditions during which our teams would have information that is limited, or supplied during the course of the audit (grey box). In addition to the depth of detail provided to the auditors, the provided access level (none, authenticated, privileged) can also be customized.
The penetration test can be complemented by a code review of your application. This stage allows for the detection of vulnerabilities that would have been hard to test for during a dynamic assessment. Code review enables identification of software vulnerabilities or unsafe patterns that could have been left in the application code, early in the software development life cycle (SDLC). Once these vulnerabilities have been identified, immunIT can propose fixes to your development teams.