INFOSEC SERVICES

image description

Penetration Tests

Key Customer Benefits:
  • Document compliance with regulatory programs that require Penetration Tests as part of their certification process
  • Get an attacker's view of your network
  • See actual exploitation results as they would occur if your network was under attack
  • Test both your operational and technical defenses

Many regulatory programs require Penetration Tests as proof of due diligence in hardening networks against attack and misuse. Securisea delivers both the technical skill and the business sensitivity to deliver in-depth Penetration Tests that thoroughly evaluate the real-world security performance of both hardware, software and staff, while fully protecting data and preventing disruption of normal business operations.

Each Penetration Test is performed by one of Securisea’s experienced professionals, and is customized for each customer to ensure accuracy and safety. The result from each test is a detailed report analyzing how an intruder might gain access to internal systems under specific conditions, and the necessary steps to prevent such an intrusion in the future.

One of the key advantages to Securisea’s Penetration Testing program is our deep knowledge of both information security infrastructure and industry-specific regulatory requirements. We regularly perform Penetration Test that assess general network security preparedness, as well as regulation-specific tests that directly evaluate compliance with PCI, SOX, HIPAA and others. Our staff typically has over 10 years of Penetration Test experience, including CISSP, CEPT, CEH, PCI QSA and other certifications.

Securisea Penetration tests typically include one or more of the following:
  • Full network map including host and port scans
  • Network security system detection and evasion
  • Simulated attack of all network present services
  • Firewall rule mapping and testing
  • Full web scans of all external web applications
  • Default password tests of all external authentication systems

Web Application Assessment

Key Customer Benefits:
  • Generate a comprehensive list of security vulnerabilities within a Web application that can be exploited from both inside and outside your organizations
  • Prioritize the severity of each vulnerability
  • Develop a structured plan for remediation based on immediate need, cost to repair and regulatory exposure

Securisea’s Web Application Assessments thoroughly examine the structure and performance of a Web application from a security perspective, including a full analysis of the application's source code. This process includes a detailed break-down of how the application was built, how it behaves and interacts with users, what internal systems and databases might be at risk if a vulnerability is found and other potentially areas of serious security risk.

Web Application Assessments, performed by qualified independent security assesor, are mandatory to document regulatory compliance for a wide range of industries. Securisea is a certified assessor for PCI and other regulatory regimes. Each engagement is customized to your specific needs. If you are unsure if your Web application requires a security assessment, give us a call and we will be able to provide a quick answer.

Typical Web Application Assessments include parts or all of the following:
  • Examination of application entry points and server security
  • Analysis of source code for any known security vulnerabilities
  • Manual security testing of vulnerabilities found, with full exploitation where required
  • Access control analysis
  • Examination of application logging techniques
  • Default password tests of all external authentication systems

Secure Development Lifecycle Consulting

Key Customer Benefits:
  • Ensure in-house or third-party applications are free of security vulnerabilities prior to deployment
  • Provide broad industry experience and perspective for improving security best practices, including solutions that stress efficiency as well as effectiveness
  • Provide structure and accountability across the security development process
  • Design solutions that improve security while reducing the long term cost of securing applications
  • Improve security capabilities of in-house staff through structured knowledge transfer and hands-on learning

Businesses rely on a Software Development Methodology, either through a formal process or through ad hoc informal procedures. Unfortunately, security is often not a part of this lifecycle, and this necessity does not become apparent until after a system has been deployed and the cost to correct has risen dramatically.

Even worse, many organizations lack the internal expertise to build secure applications. That’s where Securisea comes in. We deliver the toolsets and expertise to enable secure coding, including code reviews, regulatory requirements, and threat modeling. Next, we address all aspects of the traditional application development cycle – Requirements Gathering, Functional Design, Technical Design, Integration and Quality Assurance, and Production Deployment. Finally, we provide comprehensive vulnerability and penetration testing to ensure completed code and deployed applications perform as expected.

Security can be addressed within several key phases of the development lifecycle, including Requirements Gathering, Functional Design, Technical Design, Integration and Quality Assurance Testing, and Production Deployment.

Requirements Gathering
It is critical to address any regulatory (Sarbanes-Oxley (SOX) HIPAA, GLBA, PCI, NERC, etc. ) issues pertaining to the system prior to the design phase.

Functional Design
Functional design includes such things as data classification. Data classification determines to what extent the data needs to be secured.

Technical Design
Technical design issues include developing threat models, evaluating data handling strategies, determining appropriate authentication mechanisms, determining session management strategies, error handling facilities, designing audit logging mechanisms, and developing deployment best practice documents.

Integration & QA Testing
Code Reviews should that code that runs in elevated context, listening on a globally accessible network interface, that communicates with external resources, and that handles sensitive data. While most development firms conduct User Requirements Testing, very few review the original design specification regarding security requirements. Security Requirements testing can be completed via vulnerability and penetration testing.

Production Deployment
It is also critical to enforce security best practices and ensure production environment is properly deployed.

Secure Software Development by Project

Key Customer Benefits:
  • Build secure software from the outset, without having to graft security remediation onto production systems
  • Save time by not having to pull production systems off line or recode applications that are under development for security remediation
  • Save money by being able to iterate secure systems faster than if security had been included in the process afterwards

Many organizations fail to recognize the time and money lost when applications are developed without taking security into account. Each of these systems will at some point fail a security test, and will need to be pulled offline for remediation. This process is complex and expensive – and can easily be avoided simply by building information security into the software development lifecycle itself.

Securisea’s Secure Software Development Lifecycle services create a holistic approach to building security into software from the design phase going forward. Solid code becomes a fundamental part of each application, without adding unnecessary expense or delay into the development and deployment process. The result is secure applications that cost much less to develop and maintain than other applications that must be pulled offline and remediated after the code has been hardened and deployed.

Our consultants have many years of development experience themselves. We understand the issues developers face outside of security, including time and budget pressures. We’ve been there, which is why we are experts at making SDLC adoption a painless process for your organization.

Securisea’s Secure Software Development Project services typically include one or more of the following:
  • Software Design and Requirements
  • Security Policy and Risk Modeling
  • Coding Standards
  • Continuous Application Penetration Testing
  • Code Security Assessments
  • Software Quality Assurance (QA)
  • Release Engineering

Reverse Engineering

Key Customer Benefits:
  • Understand exactly how your applications work, especially when the original developers are no longer available
  • Be able to make changes to existing code to account for conditions not anticipated by the original designers
  • Analyze internal code that may have been altered by attack or misuse
  • Analyze captured malicious code to determine its preprogrammed targets or actions

One of the most significant challenges in building security applications or understanding exactly what happened during a security event is determining how an exploit or weakness in an application affects the overall security of the system. Secursea’s staff can take nearly any type of executable code and provide a translation in source code form that duplicates the full functionality of the existing compiled module. As a result, any application, whether intentional or malicious, can be analyzed to understand exactly how it works, and what implications its actions cause for security across the organization.

Securisea’s Reverse Engineering is useful in many circumstances, including:
  • Maintenance of Legacy Software
  • Malicious Code Analysis
  • Copyright/Intellectual Property Infringement Verification
  • Commercial Software Product Security Analysis

Security Policy Development

Key Customer Benefits:
  • Evaluate existing security policy compared to regulatory environments such as PCI, HIPAA, and GLBH
  • Evaluate existing security policy compared to industry best practices, partner/customer/vendor requirements and specific client needs
  • Deliver an independent third-party overview of overall security effectiveness, as well as suggestions for improvement
  • Free up internal resources by offloading the task of developing security policy from in-house staff

Security policy is a complex ongoing undertaking that requires broad expertise across information security, business operations, departmental and corporate strategic planning and more. Even for sophisticated organizations with formal security policy procedures, it can be difficult to ensure that all aspects of policy are up-to-date with regulatory requirements, industry best practices, customer/partner/vendor requirements and other demands.

Securisea’s Security Policy Development service delivers two key advantages. First, we provide an independent third-party overview of existing policy, including recommendations for cost-effective improvements. Second, our experience in a wide variety of industries and companies means that we can often assume much of the burden of developing security policy, freeing up internal resources for other tasks.

In addition, Securisea’s deep knowledge of PCI, HIPAA, GLBH, SOX and other regulatory enviroments means that we know how to construct security policy to bring your organization into alignment with regulatory requirements – and how to help your organization document due diligence for each compliance effort. We focus on security policy so you can focus on your business.

Securisea’s Security Policy Development service typically includes one or more of the following:
  • Audit of existing security policy for industry best practices
  • Audit of existing security policy for regulatory requirements
  • Audit of existing security policy based on customer/vendor/partner requirements
  • Creation and modification of security policy to match specific goals
  • Training for in-house staff on security policy development best practices

Security Product Selection Testing

Key Customer Benefits:
  • Review the full breadth of security products and services without pulling staff away from essential daily tasks
  • Save money by avoiding costly purchasing mistakes
  • Verify vendor security claims
  • No source code, no problem
  • Understand exactly how data is available and when

It’s easy to recognize that your organization has to purchase new security infrastructure, or upgrade existing hardware, software and services. However, given the huge number of vendors offering wildly different price, performance and quality levels, how do you know you’re getting the level of quality you need – at the best price and value possible?

Securisea’s Security Product Selection Testing service leverages our deep expertise across a wide range of security products and services to locate and test the offerings that will be most appropriate for you. We combine our technical knowledge, real-world experience across many different types of businesses and industries, and a vendor-neutral approach to ensure that the solutions we recommend will deliver what you need, at a price you can afford.

Securisea’s Security Product Selection Testing service engagements typically involve the following:
  • Customer review to determine need, fit, future scalability and cost efficiency
  • Product/service identification and evaluation
  • Detailed reporting on which products meet the search parameters
  • Configuration and deployment assistance

Network Security Assessment

Key Customer Benefits:
  • Generate a comprehensive, independent overview of your current network security status, including potential vulnerabilities that can be exploited from inside or outside the organization
  • Detailed reporting and analysis, with results filtered to remove false positives so that remediation focuses solely on proven threats
  • Receive customized recommendations, including issue priority by severity, complexity and cost

Networks evolve over time. As a result, it is essential to assess any network’s security posture at regular intervals, both to ensure that old vulnerabilities have been repaired and that new ones have not been introduced. Securisea’s Network Security Assessment Service delivers customized scans and penetration tests that deliver fast, accurate assessments, detailed reporting and analysis, and practical, actionable remediation plans.

Unlike many other vendors, Securisea follows up each assessment with a confirmation process that dramatically minimizes false positives and and other inaccuracies inherent in automated solutions. In addition to our own assessment services, Secursea also works with your existing staff and infrastructure to improve in-house scanning efforts and security reviews.

We can tailor assessments to virtually any circumstance including:
  • M&A Security Advisement
  • New network Assessment
  • False Positive Reduction

Securisea and Information Security

Securisea’s expertise extends well beyond PCI, HIPAA, GLBA and other regulations that have made information security an operational imperative across a wide range of industries, including health care, financial services, manufacturing and more. Each Securisea consultant is an expert in his or her own field and has a decade or more of experience delivering critical information security solutions for difficult problems. We provide each offering on demand, or on an ongoing basis.

No matter which service(s) you choose, Securisea delivers top-tier expertise developed across a wide range of businesses and industries. Your staff can concentrate on your core business, secure in the knowledge that your information security concerns have been fully addressed.