Our testing and assessment methods include evaluation of IT infrastructure, cyber-physical or OT infrastructure, applying blackbox testing, testing from the perspective of an authorized user (grey-box) and analyzing configuration of each infrastructure component and application (white or crystal-box).
For most large enterprises, these are complex systems, as they have a huge database behind them, as well as authentication, authorization and other convenience and security features. We create attacker models for the tested websites and web applications at the beginning of the examination and execute the test using these models. Our methodology is based on the OWASP standard, but we have already improved it based on our own experience and knowledge.
We can model all attack models and all use cases on both iOS and Android operating systems. For Android, in addition to static analysis, we perform testing in emulated environments and real physical environments on live devices. Our methodology cover a wide range of scenarios: we test on rooted, non-rooted and emulated environments. For iOS, we examine the application statically and also dynamically in a native environment. Mobile payment options have been increasing, and soft token solutions (enabling transactions with a mobile app) are becoming more common. We are prepared to test these on real devices in a realistic way.
We also carry out external and internal infrastructure tests. During and external examination, we check what services are running on the public servers of the customer (mail, VPN, DNS, etc.) and whether these services are secure or can be exploited through the public Internet. In case of an internal infrastructure test, the same tests are performed on the internal network only. In addition, in an internal network, we also execute common test cases and attack scenarios used against Windows environments.
Desktop applications are designed to meet specific business needs and create specific security situations. They usually involve testing some kind of Windows application that can be traditionally installed, which means that the testers need to be familiar with the deeper layers of the operating system, thick client and thin client testing.
It's a very new area within IT, not many people in the market understand it, but we have the expertise. IoT examination has a physical part (whether the particular device is put together correctly), a network wireless communication part (checking all kinds of wired and wireless communication) and a software part (where the software running on the device is examined). For a traditional network-connected device or an IoT ecosystem with multiple components, the examination is extended with a smaller scale infrastructure test.
In case of mobile and desktop applications, the important business logic is not done on client-side, but rather on server-side by an API server at the service provider. An API is a web-based service, which do not have a website to visit, but they control and ensure the flow of information to the relevant backend services. Logical problems and other access control problems in an API that were not identified during the development phase need to be detected. These problems are usually much more severe than the weaknesses in the client-side components (mobile or desktop applications).
Detailed situation assessment, understanding the context of the analysis
Rapid investigation - we give something tangible very quickly
Our clients will also receive the results of the deep analysis later
We make suggestions for correcting errors, identify further action to be taken
We are integrated in the international academic network of mad scientists and IT security communities
Educational, transparent and detailed report to upgrade your security posture
Professional excellence, customer oriented attitude
Follow-up, support, training and consulting as requested
We have real professional knowledge and industry experience
All our results are delivered with business usability in mind
Copyright 2021 Ukatemi Technologies LLC.