Security Testing & Remediation
ISAS has long been acknowledged by our clients for our technical expertise as well as our guidance and assurance from an Information Security perspective. The following services are illustrative of the work that ISAS have delivered over the years in response to our clients' demands and range from identifying specific vulnerabilities to addressing them on their own infrastructure.
Penetration Testing a new system is the ultimate validation that the design, development and deployment of that system is in-line with secure practices.
The ISAS Penetration Testing team continue to impress clients and developers alike when given access to a new system and demonstrate the flaws they were able to exploit. It can be quite a sobering moment when the evidence is presented. The team are continuously honing their skills and earning plaudits for their results. An organisation choosing to have a Penetration Test carried out, and particularly a "Crystal Box" one, is demonstrating real maturity in the Information Security space. Ideally, this takes places once User Acceptance Testing is complete and before "Go Live". This means there is still a chance to remediate any issues identified, retest to validate, and then release to the Internet.
Operating Systems & Application Layer Hardening
By default, most Operating Systems (OS) that are installed "out of the box" are very general in their nature, and by that measure, usually insecure. They are trying to offer a wide gamut of services, and with very few restrictions. Some vendors have partially addressed these issues though role-based installation and minimisation of unnecessary services. Despite these efforts, it is ISAS's opinion that the OS still needs a further layer of 'hardening' applied. ISAS can work with the organisation to determine the most appropriate hardening policy to be applied to a specific OS. Training can be provided also to ensure that an organisation's own support teams understand the hardening process, the rationale for decisions on settings and problem resolution. ISAS want the client to be self-sufficient, where appropriate, when it comes to OS Hardening. In the same way as the OS needs hardening, so too do the application layers that are installed. Whether it is a web content delivery application, a database application or some level of middleware, there is likely to be a level of hardening required. The ISAS philosophy is that this hardening should never be dependent on one person or organisation and documenting the hardening is a key feature of the ISAS engagement.
Source Code Reviews
Over recent years the move to "DevOps" and other rapid development and deployment methodologies has, in some cases, led to a quality issue in terms of Information Security vulnerabilities being introduced. These may not be caught until the next major Penetration Test, and by then, the damage may have been done and possibly a breach has occurred. By doing source code reviews, and particularly automated ones, many of these issues can be caught before code is 'dropped'. ISAS can provide a range of source code review options for clients, but the most popular at the moment is Static Application Security Testing (SAST). This automated process can save huge amounts of developer time and business frustration.
Static Application Security Testing (SAST)
Organisations are at varying levels of maturity when it comes to software (or "application") development. Delivering secure systems, that need minimal remediation at the Application Penetration and Security Testing stages prior to going live, can dramatically save time and cost.
ISAS can facilitate the Static Application Security Testing (SAST) of source code that can achieve this objective. They are experienced in introducing the concepts of developing secure code all the way through to designing embedded steps in DevOps for automated static code analysis during code drops.
Open Web Application Security Project (OWASP)
The Open Web Application Security Project (OWASP) is an internationally recognised standard for the development of online systems.
ISAS has extensive experience with OWASP and the implementation of the principles at design and development stages. ISAS would work with an organisation to ensure that the principles of OWASP are integrated at all levels in the design and delivery of any new service. This greatly reduces the likelihood of an issue in the future.
Firewall & Perimeter
The familiar adage of security has many layers is as relevant today as it has ever been. However organisations must still ensure that clear and present dangers in regards to their network perimeter are clearly understood and mitigations are in place.
While conducting security reviews of firewalls and network perimeters ISAS consider each client’s technical and functional requirements. ISAS also ensures that each client’s specific threat surface and attacker Techniques Tactics and Procedures (TTPs) are considered. This is often achieved by assessing specific attack scenarios and using the identified cyber kill chain of these scenarios to realise mitigating TTPs that the client can implement.
As a key building block of most organisation's systems, it is critical that Active Directory is configured to provide a solid foundation for the desired security posture. There are a vast array of parameters that can be set and many of the default settings, while simplifying administration, are not necessarily the most secure.
The independence of ISAS ensures that our clients can always be assured that any assessment of their vulnerability is well grounded. Our consultants can proceed to recommend remediation to improve the client's security posture.