Security assessments are an in-depth analysis of a software system, where our consultants make use of as much supplementary information and access as is possible. We use a variety of techniques when performing a full security assessment, primarily centred around white-box strategies. These include threat modelling, design review, configuration review, source code review, and binary analysis. These engagements generally require longer time-frames, though the duration of the engagement can be adjusted to balance cost with the desired level of thoroughness. Our consultants will work with your development and operations staff to get up to speed quickly on technology being assessed. When the assessment is complete, our deliverable will include tactical and strategic recommendations for improving the system's security. Here are a few situations in which where a security assessment might be appropriate:
You are responsible for the security of a software product or project that is essential to your business or brand.
You are responsible for the security of a web application that will be exposed to a large number of users or otherwise be very visible externally.
You are responsible for a system that plays a critical role in the security of your organization.
Security is a core differentiator of your product or service, and you want to put forth your best effort to maximize it.
You otherwise wish to favour a more in-depth and rigorous analysis in exchange for a longer engagement.
Azimuth performs network security assessments and host security assessments, web application assessments, and software security assessments. The foundation of our software security assessments is source code review, which we augment with other strategies as appropriate. Please feel free to contact us to learn more about our service offerings and processes.
Penetration testing simulates an attack by a focused technical adversary. Our consultants will start with limited information and attempt to compromise a network, web application, or software system using the same techniques that an attacker would employ. Penetration test engagements are typically performed over a shorter time frame, and primarily utilize black-box techniques. These tactics include: scanning, manual and automated fault injection, custom tool creation, reverse engineering, and actual penetration of targets. There are numerous situations in which a penetration test can provide cost-effective yet valuable, actionable security intelligence. Specifically, you might consider this service if:
You need to validate the security of a system after you've made an effort to harden it against vulnerability.
You need to quickly understand the security properties of a new or unfamiliar system or technology, perhaps after acquisition, or prior to deployment.
You need external confirmation and expert analysis to help catalyse an internal effort to secure a system known to be vulnerable.
You need the technology of a third-party assessed, and they are unlikely to be forthcoming with internal information.
Your budget or timeframe is otherwise limited and you need to strike a balance between time and thoroughness.
Azimuth performs internal and external network penetration tests, web application penetration tests, and software penetration tests. Please contact us for more information on our specific services.