Security Evaluation

Terishield adopts an innovative approach to conducting security evaluations. This means that they do not merely adhere to standard methodologies, but instead, integrate the latest technologies and strategies to ensure that their assessments are cutting-edge, accurate, and capable of detecting even the most sophisticated threats. There is a constant commitment to research and development to stay always one step ahead of potential risks, ensuring clients receive comprehensive and advanced protection.

 

 

Vulnerability Assessment

Vulnerability assessment of infrastructures and web applications with related contextual remediation proposals. The Vulnerability Assessment activity is divided between a perimeter vulnerability scan and an internal infrastructure scan. This involves scanning activities for vulnerabilities of assets exposed on the outer perimeter of the network, as well as scanning activities for vulnerabilities of assets internal to the network.

Security Audit

A security audit is a systematic and measurable analysis of how an organization’s security policies and procedures compare to established security standards.

The goal of a security audit is to identify security weaknesses, verify compliance with established security standards or current regulations, and provide recommendations for improving security.

 

There are several types of security audits, including:

  • Internal Audit: Checks compliance of systems with the company’s IT policies and procedures.
  • External Audit: Simulations of external attacks aimed at acquiring information about the computer system.
  • Compliance Audit: A verification process that ensures an organization complies with applicable regulations and laws. This type of audit is crucial to ensure that the organization aligns with regulations such as GDPR (General Data Protection Regulation) or new Data Protection Laws that govern the processing of personal data, or PCI-DSS (Payment Card Industry Data Security Standard), concerning the security of payment card data.
  • Technical Audits / Penetration Tests:
  • Infrastructure Audit: Focuses on assessing an organization’s physical and technological infrastructures. This may include network hardware, servers, storage systems, and physical installations. The methodologies used in this area can include configuration analysis, resilience evaluation, and compliance with security standards.
  • Application Audit: Focuses on the software applications used within an organization. This type of audit assesses the security, performance, and compliance of applications against business and regulatory requirements. Methodologies such as OWASP (Open Web Application Security Project) for web applications and MASVS/MSTG (Mobile Application Security Verification Standard/Mobile Security Testing Guide) for mobile applications are often used.
  • Risk Assessment: Identifies and evaluates security risks. It focuses on the protection of data and IT infrastructures. The goal is to ensure the confidentiality, integrity, and availability of information (CIA), considering the operation and lifecycle of data, which can be static, in transit, or being processed. Relevant international standards include ISO 31000:2018 on risk management and ISO 27001:2022 on information security.

 

The methodologies used in a security audit include the detailed analysis of configurations, policies, procedures, and security controls implemented on networks, systems, applications, data, and business processes.

This audit process involves several phases, including planning, data collection, data analysis, and report production.

A security audit should be a continuous process, not a sporadic event, and aims to maintain an adequate level of security over time.

Static Analysis (SAST)

Static source code analysis, also known as Static Application Security Testing (SAST), is a repeatable testing methodology used to inspect an application’s source code to identify security vulnerabilities without the need to execute the program. This type of analysis requires access to the application’s internal code.

SAST enables the detection of security vulnerabilities in the source code early in the software development lifecycle, before the final release of the application, significantly reducing risks. In addition, it allows for the analysis of a large amount of source code, balancing automation with manual verification of results to reduce the number of false positives and false negatives.

Dynamic Analysis (DAST)

DAST (Dynamic Application Security Testing) is a security testing methodology for applications that focuses on analysing running applications to identify security vulnerabilities. Unlike SAST (Static Application Security Testing), which analyses static source code, DAST examines the application during its operation, simulating external attacks to discover security issues that only manifest while the application is running.

DAST is used to test web applications from the outside, identifying vulnerabilities such as issues in interfaces, requests and responses, scripts, data injections, session and authentication issues, configuration, and more. This type of testing is particularly useful for detecting vulnerabilities that are not apparent in source code analysis but emerge when the application is operational and interacts with other systems or data.

The dynamic approach of DAST complements other testing methods such as SAST, and they are often used together to provide more comprehensive security coverage. While SAST can identify vulnerabilities in the source code before the application runs, DAST can detect issues that only occur at runtime or that are related to the application’s interaction with its operating environment.

 

Vulnerability assessment of infrastructures and web applications with related contextual remediation proposals. The Vulnerability Assessment activity is divided between a perimeter vulnerability scan and an internal infrastructure scan. This involves scanning activities for vulnerabilities of assets exposed on the outer perimeter of the network, as well as scanning activities for vulnerabilities of assets internal to the network.

A security audit is a systematic and measurable analysis of how an organization’s security policies and procedures compare to established security standards.

The goal of a security audit is to identify security weaknesses, verify compliance with established security standards or current regulations, and provide recommendations for improving security.

 

There are several types of security audits, including:

  • Internal Audit: Checks compliance of systems with the company’s IT policies and procedures.
  • External Audit: Simulations of external attacks aimed at acquiring information about the computer system.
  • Compliance Audit: A verification process that ensures an organization complies with applicable regulations and laws. This type of audit is crucial to ensure that the organization aligns with regulations such as GDPR (General Data Protection Regulation) or new Data Protection Laws that govern the processing of personal data, or PCI-DSS (Payment Card Industry Data Security Standard), concerning the security of payment card data.
  • Technical Audits / Penetration Tests:
  • Infrastructure Audit: Focuses on assessing an organization’s physical and technological infrastructures. This may include network hardware, servers, storage systems, and physical installations. The methodologies used in this area can include configuration analysis, resilience evaluation, and compliance with security standards.
  • Application Audit: Focuses on the software applications used within an organization. This type of audit assesses the security, performance, and compliance of applications against business and regulatory requirements. Methodologies such as OWASP (Open Web Application Security Project) for web applications and MASVS/MSTG (Mobile Application Security Verification Standard/Mobile Security Testing Guide) for mobile applications are often used.
  • Risk Assessment: Identifies and evaluates security risks. It focuses on the protection of data and IT infrastructures. The goal is to ensure the confidentiality, integrity, and availability of information (CIA), considering the operation and lifecycle of data, which can be static, in transit, or being processed. Relevant international standards include ISO 31000:2018 on risk management and ISO 27001:2022 on information security.

 

The methodologies used in a security audit include the detailed analysis of configurations, policies, procedures, and security controls implemented on networks, systems, applications, data, and business processes.

This audit process involves several phases, including planning, data collection, data analysis, and report production.

A security audit should be a continuous process, not a sporadic event, and aims to maintain an adequate level of security over time.

Static source code analysis, also known as Static Application Security Testing (SAST), is a repeatable testing methodology used to inspect an application’s source code to identify security vulnerabilities without the need to execute the program. This type of analysis requires access to the application’s internal code.

SAST enables the detection of security vulnerabilities in the source code early in the software development lifecycle, before the final release of the application, significantly reducing risks. In addition, it allows for the analysis of a large amount of source code, balancing automation with manual verification of results to reduce the number of false positives and false negatives.

DAST (Dynamic Application Security Testing) is a security testing methodology for applications that focuses on analysing running applications to identify security vulnerabilities. Unlike SAST (Static Application Security Testing), which analyses static source code, DAST examines the application during its operation, simulating external attacks to discover security issues that only manifest while the application is running.

DAST is used to test web applications from the outside, identifying vulnerabilities such as issues in interfaces, requests and responses, scripts, data injections, session and authentication issues, configuration, and more. This type of testing is particularly useful for detecting vulnerabilities that are not apparent in source code analysis but emerge when the application is operational and interacts with other systems or data.

The dynamic approach of DAST complements other testing methods such as SAST, and they are often used together to provide more comprehensive security coverage. While SAST can identify vulnerabilities in the source code before the application runs, DAST can detect issues that only occur at runtime or that are related to the application’s interaction with its operating environment.

 

Interested in our services but unsure how to tailor them to your business needs?

Our specialists are ready to listen carefully to your needs to identify and propose a customized solution that aligns perfectly with your requirements.

Contact Us

Complementary Consultations

Terishield offers a range of consultations related to the world of digital and financial security. Many services are often enhanced by the integration of others that can be described as complementary as well as supplementary.

Ethical Hacking: The main goal is to enhance security by anticipating techniques that could be used by malicious actors to illegally access systems and data.
Learn More
Defence Security: The primary objective is to create barriers that make it difficult for attackers to penetrate or damage computer systems.
Learn More
All Rights Reserved 2024 © Terishield SA