IT Security Assessment
Hacking is exploiting controls either technical, physical or human-based
Security controls have to be put to the test
Despite the increase of cyber-attacks in the news and higher regulatory requirements, there always is a discussion whether security controls are needed or not. After all, extensive security measures are not just a small share of the amount it costs to host web applications.
Especially highly effective security controls such as web application firewalls require a lot of know-how to administrate and close cooperation with the application developers to guarantee a maximum of security. Many companies question these costs based on the principle 'to overshoot the mark is as bad as not hitting it at all'.
Hackers do not sleep and, driven by various motivations, are permanently developing new technologies to compromise web applications. Therefore security controls have to be adapted at an equal speed to be able to withstand these threats. However, the expenses for rotational security checks have to be kept in line with the budget. Here the expertise of specialized companies providing this knowledge in the form of automated and intelligent software tools is required.
Security scans and penetration tests
Vulnerability scanners, web application scanners and other software to support penetration testing provide valuable hints about the vulnerability of an infrastructure and its application. They speed up analysis processes and also help to keep the expenses of a security check low.
However, what all automated security analysis software tools have in common is that results have to be checked by qualified persons in order to filter for so-called False Positives. These are protocolled vulnerabilities, which during a manual check can be identified as false reports.
Another reason for manual control is the fact that especially vulnerability scans are operating in a non-invasive mode to avoid damage to productive systems resulting in business disruptions. Because there is no way to tell how vulnerabilities can be exploited by potential attackers, this causes a decrease in the scope of inspection and the accuracy of the results.
The elimination of False Positives and the documentation of exploit probability as well as the threat level of vulnerabilities are part of our security reports when checking security controls of web applications.
System Security Audit
Network Vulnerability Assessment
Network Configuration Assessment
Vulnerability Assessment Scanning
Software Configuration Assessment
Web Application Audit
Input Validation Vulnerability
SQL Injection, Cross-Site Scripting, Command Injection
Dictionary Formular Attack
Documentation with risk evaluation by security experts
Code reviews with design proposals for solutions or workarounds
Frequency of security scans
Before a newly installed hosting system will be delivered to our customer we conduct a System Security Audit to initially evaluate the security level. After installation of the application software right before going live, we recommend the conduction of a Web Application Audit in order to identify and eliminate vulnerabilities in good time. The results of the audit also will provide information if the security policy has to be adapted for this web application and if new security controls will become necessary.
Ideally, Web Application Audits should always be conducted before publishing complex changes to the application software, as this offers the best protection from attackers locating vulnerabilities before their identification and elimination during a rotational security audit.
Especially if, during development of application software, extensive regulations of information security are defined and if enough control mechanisms have been established, the rotational security reports (also created by us for our customers) become useful as well. On demand we support our customers with code reviews of identified vulnerabilities and design proposals for solutions or temporary workarounds.
Support of third party security audits
Extensive security services are part of our Managed Hosting Services. We therefore can understand the need of our customers to conduct security audits or penetration tests by a third party in order to receive an independent expertise of the hosting infrastructure IT security, or rather to fulfill the criteria of security certificates.
To allow auditors commissioned by our customers a quick overview of the test objects, we will provide them - if requested - with extensive documents. These will contain network plans of the Private Cloud infrastructure including network components, communication connections and IP address lists, and additionally, a basic description of the hardening measures and a so-called Status Quo image of the customer’s IT system. This Status Quo contains a list of all installed operating systems, services and application software components including versioning and patch level.
We also will offer support with the final evaluation of the results and with the design and realization of measures to effectively get rid of identified vulnerabilities.