Security service details

Vulnerability Assessment of LMS Installation and Web Application

Our security engineers review the installation and configuration of your LMS and provide a cybersecurity threat assessment. Based on OWASP standards.

More information

Component risk assessment and update status

Our security software engineer will review your LMS to ensure all components are up to date and secure.

More information

Custom code and external integration vulnerability assessment

Our ethical hackers and security engineers will review and test custom-developed code to identify vulnerabilities and provide an assessment report. We will review all external third-party integrations to see if they may result in hostile access to your LMS. Our assessment is based on the 10 best practices of the OWASP.

More information

Strategic external penetration testing

Our certified ethical hacker will perform advanced external penetration testing on your infrastructure to identify various weaknesses that hackers could use to exploit your organization. Our experts test your business for any sensitive data that might already be publicly available.

More information

The Service is designed to reveal security shortcomings which could be exploited to gain unauthorized access to critical network components. These could include:

Vulnerable network architecture, insufficient network protection
Vulnerabilities leading to network traffic interception and redirection
Insufficient authentication and authorization in different services
Weak user credentials
Configuration flaws, including excessive user privileges
Vulnerabilities caused by the usage of outdated hardware and software versions without the latest security updates
Information disclosure

The Service is also designed to provide OSINT or Open Source Intelligence refers to information about individuals or companies that can be freely and legally gathered from publicly available sources.

Model

Security assessment conducted through the Internet by an "attacker" with limited or no knowledge of your system.

Steps

Passive information gathering
Active information gathering (network discovery), including port scanning, identifying available services and manual requests to certain services (SSH, telnet, FTP, DNS, mail, etc.),
External vulnerability scanning and analyzing
Manual vulnerability analysis, including identification of resources without authentication, important publically available information, insufficient access control
Guessing credentials
Exploitation of the vulnerabilities and privilege escalation(if possible)
Develop all attack methods available during testing that have been exhausted.

The analysis is performed using automated tools as well as manually by experts. The following security assessment tools can be used:

Information gathering tools (Maltego, theHarvester, FOCA etc.)
Various general-purpose and specialized scanners (NMap, OpenVAS, WPScan, nikto, w3af and others)
Credentials guessing tools (Hydra, Medusa, potator and others)
Web application security tools (OWASP ZAP, BurpSuite, Sn1per, SQLmap, etc.)
And others, including limited access exploits and custom exploitation tools

Results:

Following the service, customers receive a report containing the following:

High-level conclusions on the security flaws and recommendations to remediate them;
A detailed description of detected vulnerabilities, including severity level, possible impact on the vulnerable system, and evidence of the existence of vulnerabilities (where possible);
Recommendations for eliminating vulnerabilities;
Recommendations on mitigating the identified issues;
Detailed description of information that was detected concerning your organization.

Based on cybersecurity world best methodologies and practices:

Open Source Security Testing Methodology Manual (OSSTMM);
Open Web Application Security Project (OWASP) Testing Guide;
Penetration Testing Execution Standard (PTES);
NIST Special Publications 800-115 Technical Guide to Information Security Testing.

Assessment

Information Systems Security Assessment Framework (ISSAF);
Web Application Security Consortium (WASC) Threat Classification;
Common Vulnerability Scoring System (CVSS).

Web application and API penetration testing

Our ethical hackers and application security engineers test your web applications and APIs to identify security vulnerabilities that exist within a web application and API.

More information

The service is designed to identify vulnerabilities within your applications, from low to high risk, via a simulated attack to improve your security and mitigate risks.

The testing includes the entire application or just specific areas of functionality. Our approach allow find many types of vulnerabilities on the areas we assess:

Authentication
Authorization and access control
Cross-site scripting (XSS)
SQL and other type injection vulnerabilities
Cross-site request forgery (CSRF)
Server-side request forgery (SSRF)
Insecure file upload
XML-related issues
Unsafe deserialization
Business logic flaws
Unnecessary information disclosure

Model

Black-box testing;
Simulating an external attacker without prior knowledge of the application's internal structures and workings;
Grey-box testing;
Simulating legitimate users with a range of profiles;
White-box testing;
Analysis with full access to the application's source codes.

Steps

Gathering Information;
Conducting reconnaissance activities to locate information leakage, identifying utilized technologies, map application entry and functionality, and other related tasks to guide testing;
Vulnerability scanning and analyzing;
Automated scans and manual tests to discover flaws in the application which could be exploited. Deep-analysis of vulnerabilities via typical hacker's techniques, such as banner-grabbing, HTTP header analysis, brute-forcing of login pages and examination of web forms to identify locations in the application that may be open for exploitation;
Exploitation of vulnerabilities;
Providing attempts to establish access to a system or resource by bypassing security restrictions and weaknesses in the design and development of your application. This sometimes encompasses user privilege escalation when available in your application and includes a range of techniques such as various injections, cross-site scripting (XSS), insufficient authorization and others;
Analysis and Reporting;
Analyzing the results and providing a detailed exploitation report identifying any vulnerabilities discovered;
The analysis is performed manually by experts and using automated tools hackers use.

Results

Following the service, customers receive a report containing the following:

High-level conclusions on the security flaws and recommendations to remediate them;
A detailed description of detected vulnerabilities, including severity level, possible impact on the vulnerable system, and evidence of the existence of vulnerabilities (where possible);
Recommendations for eliminating vulnerabilities

Our methodology based on cybersecurity world best methodologies and practices:

Open Source Security Testing Methodology Manual (OSSTMM);
Open Web Application Security Project (OWASP);
Web Application Security Consortium (WASC) Threat Classification;
Penetration Testing Execution Standard (PTES);
NIST Special Publications 800-115 Technical Guide to Information Security Testing;
Common Vulnerability Scoring System (CVSS);
Information Systems Security Assessment Framework (ISSAF);

Reports and information

A comprehensive assessment report detailing the tests performed, hack simulations, penetration testing, vulnerabilities and findings that threaten your organization, along with actionable recommendations.

Let's further protect your organization