Our Penetration Testing Approach

A dedicated expert team of SecurityEscape to help you finding vulnerabilities, fixing & mapping in the future product updates.

Defining Scope

The scope is first defined by analyzing the complete testing surface of the target application and understanding the baseline architecture of its functional design. This analysis is then sorted by a group of experts into segments, which may include:

  • Nature of core technologies, services, and libraries on which the application is built.
  • Function-hierarchy and baseline-logics used to run core services.
  • The application’s API or functional structure.
  • Existing firewalls and intrusion detection/prevention systems.

Mapping Parameters & Endpoints

Endpoint mapping plays a key role in our security assessment processes. Our security professionals map every possible endpoint in your application and develop an endpoint relationship map to distinguish shared from unique endpoints. This enables us to:

  • Understand the impact of vulnerabilities affecting multiple endpoints.
  • Avoid gap(s) while addressing vulnerabilities affecting multiple endpoints.
  • Identify the root cause of detected vulnerabilities.
  • Analyse the impact from chained and logical vulnerabilities with similar endpoints.
  • Scrutinize an application’s new and pending functions.

Business Logic

Application business logic vulnerabilities enable an application’s permissible process flow to be exploited, ultimately impairing the application’s security. Because they are specific to every custom application, business logic vulnerabilities can only be identified through logical reasoning.

Complex applications featuring user roles, accessibility, and user-defined restrictions often show vulnerability due to having been logically misconfigured. Our team closely examines every single functionality of the application to identify any possible business logic flaws.

Our team leverages diverse experience with application security assessment along with the application’s core functionality to gain an in-depth understanding of the application’s business logic.

Our team has successfully identified business logic flaws on the great majority of applications we have audited. The potential consequences of exploits we exposed include:

  • Gaining unauthorized administrative privileges.
  • Upgrading low-tier accounts to high-tier accounts.
  • Placing orders at zero (or any defined) price value.
  • Bypassing the business flow.
  • Unauthorized access to other users’ sensitive information.
  • Constraint exploitation based on the application’s terms and conditions.
  • Bypassing identity verification systems.

Zero Days

Zero-day vulnerabilities remain a constant threat with potentially dangerous consequences. Our experts combine machine and human intelligence to monitor dangerous situations and resolve them quickly and effectively.

Our cloud-powered tools constantly monitor the technologies, libraries, and services your application runs on, to find and combat upcoming zero-days. In addition, the security team manually tracks updates in these technologies to identify zero-day or insecure implementations. It doesn’t stop there; we also provide you with hotfixes or temporary workarounds until an official fix is released.

We constantly ensure all technologies and services used by your applications are updated in line with industry trends and collaborate with your team to work on updates needed by any specific technology.

Our dedicated research arm updates us on all security incidents occurring globally involving any technologies and also constantly tracks unpublished (or upcoming) zero-day attacks.

Compliance & Standards

We ensure coverage of all crucial industrial standards within our reports, which share detailed information on current industry standards and compliances. Our monthly reports cover our current standards, which include OWASP, WASC, PCI DSS, HIPAA.

On completion of assessments, our security professionals include information on compliances being affected by any particular vulnerability or security practice.