"Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools."
- Open Web Application Security Project (OWASP) Top 10, 2010 Security Report
Unlike other security products or services, we specialize in manual security audits of both your network, operating system and application levels. We believe the only way to address security concerns is that of a hacker - utilizing our team of experienced security experts in conjunction with standard industry and our own internal tools and methodologies. As a result, our services have been put to the test against high profile websites as well as PCI, SOX and SAS 70 I/II compliances.
Our Proactive service provides ongoing security by constantly analyzing network threats and identifies potential attacks or new attack vectors in your infrastructure. This service is tailored to your environment and application and all data is passed through our private cloud computing infrastructure for automated analysis which then provides our security team a subset of that information for manual review and possible action items. Our philosophy is to combine the best tools with the best human talent to create the most comprehensive and full circle protection for your enterprise.
Our audits follow a time-tested methodology:
At this phase we gather domain names, IP network ranges, and information about hosts, such as operating systems, procedures, services and applications. Our goal is to get an assessment of the network footprint, how key stakeholders and staff use the infrastructure and how each server or asset is configured. This is a critical part of understanding both where a hacker may start to attack your systems and how to spot any immediate flaws with the networking stack.
We inspect all hosts for any weaknesses or crumbs of information that could be used by an internal attacker to disrupt the confidentiality, availability, or integrity of your systems.
Attack Vector & Vulnerability Scanning
We use both automatic and manual processes to determine weaknesses in the services, improper server configurations or security holes in your web application. By identifying these attack vectors we attempt to exploit the systems for sensitive data such as financial data, hashes or keys, or stealing specific trophies that your company identifies. The CROSCON team is comprised of open-source subject matter experts and we pride ourselves in utilizing manual techniques to catch any hints that may allow a would-be hacker to penetrate your network.
According to our experience, over 94% of all successful attacks originate within the application. As subject-matter LAMP experts, we provide a full comprehensive security code review, identifying all possible weaknesses in your application including (but not limited to):
- Injections (SQL, Code, Remote)
- Cross-Site Scripting (XSS)
- Broken Authentication & Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CRSF)
- Security Misconfiguration
- Insecure Cryptographic Storage and/or Processing
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects & Forwards
An in-depth analysis of your vulnerabilities is performed to determine the systemic causes and to develop strategic recommendations. We then categorize and prioritize the strategic recommendations by people, process, and technology. The specific goals and objectives for your audit differ for each engagement since each business and infrastructure is unique.
Want to Talk?
We'd love to hear from you - contact us today to speak with one of our security experts.