Using the most advanced techniques of exploitation against the application, our analysts rigorously test your applications against vulnerabilities. Our testing methodology based on OWASP Testing Guide Methodology that covers all common tactics, such as SQL injection, forgery requests, and error flow applications (business logic), and some zero-day test techniques that we have.
Spentera has created a mobile testing methodology that combines research-driven guidance based on OWASP Application Security Verification Standard (ASVS) and OWASP Testing Guide Methodology. Spentera also provides verification and validation across all major control categories, such as use of cryptography, including authentication and authorization, session management, access control, malicious input validation.
Spentera identifies the likely threat agents and vulnerable components associated with the application. We will work together with your team to produce a holistic view of the application and use the results to make a list of possible vulnerabilities, identify the assets that are most likely to be targeted by an attacker, what your value is and what the impact of your loss would be. This task includes:
After all info gathered, we will perform application security assessment using these approach:
Due to the use of automated tools often produces false-positive against possible vulnerabilities, Spentera will not be fully dependent on the automated tools that mostly used. Instead, we combine multiple testing techniques without relying on tools. The expected result is a comprehensive result after going through the process of automated testing and manual verification.
The use of exploitation tools sometime adversely affects the application, database, system, network, or other tools. To reduce the impact of the exploitation, we always explain and ask for approval if we want to exploit the vulnerabilities found. Use of exploitation against vulnerability will depends on a lot of things (e.g. likelihood, impact, attacker skill, etc), if there is no proof of concept against such vulnerability, we will make the closest approach to verify the vulnerability.
Approach to research on new vulnerabilities (zero-day) has always been an interesting challenge, the expected result is the discovery of vulnerability that has never been found before.