Web Penetration Testing(OWASP Top 10 methodology) | Network Penetration testing | OWASP API Security | Mobile Vulnerability Assessment(iOS and Android) | Source Code Reviews(.Net, Java, PHP) | Vulnerability Assessment and Penetration Testing | SIEM team (Cloud(AWS and Azure) Security, File Integrity Monitoring and Event Monitoring, Endpoint Security and Encryption, Data Loss Prevention, Network Access Control, Threat Monitoring (Email Traffic and Malware Analysis), Privileged Access and Identity Management)
Have 7+ years of experience in both black box and white box testing penetration testing. Perform VAPT (Vulnerability Assessment and Penetration Testing) services for web applications, networks, mobile; source code reviews; malware analysis; server hardening; and security analysis etc. Conduct penetration testing in a systematic approach. Follow the standard methodology of the industry like OWASP Testing Guide v4(OTGv4); SANS top 25; NIST SP 800-115; PCI DSS to perform penetration testing so that client can concentrate on their professions without worrying about security threats.
Web Application Testing: Do web application penetration testing with the latest methodology like OWASP Top-10, SANS Top-25. Perform both manual and automated penetration testing for vulnerabilities like Injection flaws(such as SQL, NoSQL, OS, and LDAP injection etc),Broken Authentication, Sensitive Data Exposure,XML External Entities (XXE), Broken Access Control,Security Misconfiguration, Cross-site scripting(XSS), Insecure Deserialization, Using Components with Known Vulnerabilities,Insufficient Logging & Monitoring. Also, perform source code reviews for many technologies like Java, NET, PHP etc.
Approach for Manual Web-Application Penetration Testing: Conduct manual testing with following controls:
* Configuration and Deployment Management Testing
* Identity Management Testing
* Authentication Testing
* Authorization Testing
* Session Management Testing
* Input Validation Testing
* Testing for Error Handling
* Testing for weak Cryptography
* Business Logic Testing
* Client Side Testing
Tools that use for Automated Web Penetration Testing: Acunetix, Burp-Suite, Netsparker, Nexpose, Nikto, IBM AppScan, HP fortify, W3af etc.
Network penetration testing: Provide both external and internal network Penetration Testing so that your Network Infrastructure is secured from the real world attacks. Do both manual and automated network penetration testing.
Approach for Manual Network Penetration Testing: Manually check for IDS/IPS, Server, Networks switch, Network Router, VPN, Firewalls, Anti-virus, Password etc.
Tools that use for automated network penetration testing: OpenVas, Wireshark, Nessus, Metasploit, Armitage, Scapy etc.
Mobile Application Penetration Testing: Perform mobile applications application penetration testing with the latest OWASP methodology(MSTG). Performed both manual and automated penetration testing for vulnerabilities like Weak Server Side Controls, Insecure Data Storage, Insufficient Transport Layer Protection, Unintended Data Leakage, Poor Authorization and Authentication, Broken Cryptography, Client Side Injection, Security Decisions Via Untrusted Inputs, Improper Session Handling, Lack of Binary Protections.
Tools: Burp-Suite, HP fortify, Dex2Jar, Apktool, framework-res.apk, iNalyzer.
Source Code Reviews: Perform source code reviews for both front and back-end languages. Perform source code reviews standard methodology like OWASP top 10. Do manual and automated source code reviews for various web based security vulnerabilities like SQL injection, Cross site scripting (XSS), CSRF, RFI,LFI, Authentication bypass etc.
Tools: CheckMarx, IBM Appscan source for analysis, Microfocus HP Fortify.
Security Analysis and Server Hardening: Regularly check and maintain your systems, servers to ensure that they comply with the standards. Do hardening application checks the item automatically on a daily basis and monitors all critical networks and server components. We support various frameworks like CIS benchmarking for Desktops & Web Browsers, Mobile Devices, Network Devices, Servers – Operating Systems, Virtualization Platforms & Cloud etc.
Social Engineering: Have experience in social engineering vectors: Vishing, Phishing, Smishing, Impersonation. Used the following social engineering cycle to conduct social engineering:
Gather Information: Here Information gathered from company websites, social media and other publications.
Plan Attack: Next step is outline how intends to execute the attack
Acquire Tools: After planning, next include computer programs that an attacker will use when launching the attack.
Attack: Exploit the weaknesses in the target system.
Use acquired knowledge: Information gathered during the social engineering tactics is used in attacks such as password guessing.
Tools: SET(Kali-Linux); GetGoPhish