Security Simplified ! w v
H
H
a
a
c
c
k
k
e
e
r
r
s
s
L
L
o
o
c
c
k
k
e
e
d
d
S
S
e
e
c
c
u
u
r
r
i
i
t
t
y
y
T
T
e
e
s
s
t
t
i
i
n
n
g
g
S
S
e
e
r
r
v
v
i
i
c
c
e
e
s
s
Hackers Locked Security Testing Services
Is your Web Application
"Hacking Proof" ?
www.hackerslocked.com
H
Security Simplified !
70 % of threats are at the
Web application layer –
Gartner
Web applications are a critical
success factor for your
business. Your office premises
protects your business from
intruders and keep your
assets safe . Your web
application should not be an
exception !
-
WEB APPLICATION PENETRATION TESTING
We are all under attack – Even if you do not think that is the case, or you may not notice attacks in your day to day business the attacks are still ongoing on your web application. Your company website is the modern day gateway for your client to reach you . Did you ever ask the question “Is your website secure?”
Over the last few years, the demand for security testing services has grown dramatically as businesses have recognized the need to provide assurance that they are protected from external and internal threats.
We provide testing services that can be applied before and after
implementation and as part of a regular testing strategy. In essence these services emulate real-life threat agents, for example disgruntled
employees, external hackers of various skill levels, or even industrial espionage operations.
Tests can target the business web applications, Quite often, clients request that our testing team goes after a predefined target, such as a sales
database, without restrictions in techniques - exactly as a real attacker would operate. Careful planning and strict control make these special tests safe: no disruptions to your operations and obviously no harm to your employees occur.
We have developed testing techniques where vulnerabilities in your environment can be located, tested and remediation advice given.
Scenarios of successful attacks are described in detail. All of our advice is given a business context to enable both technical and managerial
audiences to appreciate the findings.
OUR VALUE:
When we work on Pentest we use tools – Absolutely – then the obvious question is how you are different from others? The difference is the subject matter expertise of our expert Penetrators. Once the tool has given its output we dig deeper, understand the reported vulnerabilities, verify exploits and lookout for unknown issues in the application’s business logic. We create specific manual test cases that enable us to reproduce scenarios that would reflect impact of a real time Hack Attack.
HL PENETRATION TESTING SERVICES
Many security testing
companies focus their
assessments around blindly
trusting output of tools to
create a risk snapshot– And
yes, it is a compelling thought
to just be able to click start
and then end up with a full
report, but a real Hacker goes
way beyond. We do the
Security Simplified !
OUR PROCESS:
Security is a complex business , not for our clients. They truly believe we “simplify Security” and they can focus on their core business while we keep it secure. A snapshot of “ your “ security testing experience with Hackers Locked :
You Order:
In this stage you provide your mandate for testing your web application. This includes signing a non disclosure agreement and agreeing deliverables. Output of this stage will be the agreed scope, letter of authority and a detailed approach.
We Test
In this stage we perform ethical hacking on your web application. This is replication of a real time attack executed in a controlled environment on pre agreed terms . Output of this stage is our test report which includes SMART action points. Our reports clearly differentiate between positive and negative test cases so that you know where you score and where you still need to improve.
You Fix
Your development team will convert our SMART action points to technical fixes for each vulnerability identified in the report and we will support your team with our expert advice. Output of this stage will be a readiness report for re-test.
We-retest
Once you fix the holes we re-test to ensure all the fixes are effective to prevent any compromise. This is done by doing a re-test and once we successfully verify the fix then the test will be concluded as a successful test resulting in a web application security
certification.
OUR ATTITUDE TOWARDS PENTEST
In a penetration test we simulate hacker attacks, effectively exploiting vulnerabilities using rather sophisticated techniques to gain unauthorized access or forcing a web application to serve an unintended purpose by exploiting the business logic or technical blind spots that your developers overlooked.
Hackers Locked provided us with a
fast, efficient and high quality
service. The final report was well
presented, detailed and gave us
confidence in the quality and
robust nature of the testing carried
out. Hackers Locked services are
fully featured, responsive and
represent excellent value for
money.
Matthew Hammond
University of Edinburugh
Corpedia's experience with
Hacker's Locked was
exceptional. Communication
was prompt, service was great
and the assessment thorough.
Follow-up documentation and
test case data was also very
helpful. We would certainly use
this service again!
Scott Baugh
Corpedia
Security Simplified !
OUR METHODOLOGY
Hackers Locked has developed its own Penetration testing methodology called Hackers Proof. This is an advanced methodology created by HL’s Security Research Team. This methodology enables Hackers Locked to apply dynamic Vulnerability Research and Propritory Exploit Development techniques to many aspects of testing during service delivery. Hackers Lockedpenetration testing deliverables are
guaranteed to be free of false positives and usually include findings that cannot be identified with industry standard testing methodologies. Hackers Proof is highly flexible and designed to be augmented by specific modules based on customer requirements. Modules include but are not limited to key components of the Open Source Security Testing Methodology Manual (OSSTMM), key components of the Open Web Application Security Program (OWASP), and Hackers locked proprietary modules always.
OUR EXPERTISE
We strongly believe choosing the right people can make or break any business.We don’t settle for clinical hackers. We hire the best of breed , out of the box thinkers in this field and offer you nothing but the real deal. This said our team is fully trained and compete with the best when it comes to professional credentials. Some of these accolades include :
We depended on the expertise of Hackers Locked to identify and report on the security of our design.
Hackers Locked quickly identified a number of vulnerabilities and counseled us on how to correct
them. We feel confident that our system can now protect our clients data, and feel fortunate that we
could engage Hackers Locked to do this.
Dr. Eric Bechhoefer, NRG Systems
Security Simplified !
WEB APPLICATION PENETRATION TESTING SERVICE
HL’s Web Application Penetration Testing services are derived from the the Open Web Application Security Project (OWASP) and heavily augmented by Real Time Dynamic Testing. OWASP is the de facto standard for designing and testing secure web applications. Hackers Locked focuses on key areas of OWASP that include but are not limited to the following:
Areas Covered Explanation Standards Industry
AUTHENTICATION
Hackers Locked will attempt to find weaknesses in the authentication mechanisms and if possible exploit those weaknesses. Hackers Locked will also verify that the authentication methods in place are sufficient for protecting the type of information being protected.
DS5 as outlined by OWASP.
AUTHORIZATION
Hackers Locked will assess the Authorization controls of the web application to ensure that only authorized users can perform allowed actions within their privilege level.
DS5 as outlined by OWASP and DS5 as outlined by
OWASP.
BUSINESS LOGIC TESTING
Hackers Locked will assess the business logic of the web application. Business Logic Testing is
unconventional as it attempts to disrupt the logic of an application. This is one of the key areas where we use our propritory testing techniques to get excellent results.
OWASP and NIST Framework for information security
SESSION MANAGEMENT Hackers Locked will assess the Session Management capabilities of the target to ensure that sessions once established can not be misused or hijacked.
COBIT Topics: PO8 and PO8.4 as outlined by OWASP.
DATA VALIDATION
Hackers Locked will assess the target to ensure that it is sufficiently robust to protect against all forms of input data, whether obtained from the user,
infrastructure, external entities, or database systems.
COBIT T opics: DSS11 as outlined by OWASP.
INTERPRETER INJECTION
Hackers Locked will assess the target to ensure that it is sufficiently robust to protect against well-known perimeter manipulation attacks that affect common interpreters. COBIT T opics: DSS11 as outlined by OWASP and guidelines in NIST information security framework. CANOCALIZATION, LOCALE and UNICODE
Hackers Locked will assess the target to ensure that it is sufficiently robust when subjected to encoded, internationalized and Unicode input. Often times these types of inputs are overlooked when creating a Web Application which enables attackers to manipulate Web Applications by using different types of encoding techniques..
COBIT Topics: DS11.9 as outlined by OWASP
ERROR HANDLING, AUDITING and LOGGING
Hackers Locked will ensure that errors are handeled in a secure manner and don’t act as a source of
information or data leak.
COBIT Topics: DS11, DS11.4, and DS11.8 as outlined by OWASP.
FILE SYSTEM
Hackers Locked will assess the File System protection mechanisms that are in place to ensure that access to the local file system or any of the file systems are sufficiently protected from unauthorized manipulation or data viewing..
COBIT Topics: DS11, DS11.9, and DS11.20 that are outlined by OWASP
Security Simplified !
Areas Covered Explanation Standards Industry
BUFFER OVERFLOWS
Hackers Locked will assess the target for Buffer Overflow vulnerabilities to ensure that the target does not expose itself to faulty components. These
vulnerabilities often times enable attackers to compromise the system and eventually gain administrative levels of access to the system.
COBIT Topics: DS11.9
ADMINISTRATIVE INTERFACES
Hackers Locked will assess the Administrative Interfaces for the target to ensure that administrative level functions are properly segregated from user activity, that users cannot access or utilize
administrator functionality, and to ensure that the interfaces provide the proper auditing and tracking functions.
COBIT Topics: PO4 – 4.08, 4.10 as outlined by OWASP.
CRYPTOGRAPHY
Hackers Locked will assess the Cryptographic capabilities of the target to ensure that data is stored and transmitted in the safest possible manner with respect to the applications functions and requirements.
COBIT Topics: DS5.18 as outlined by OWASP.
CONFIGURATION MANAGEMENT
Hackers Locked will assess the configuration of the target to ensure that no configuration vulnerabilities exist. Hackers Locked will also assess the
configuration of the target to ensure “out of box” security should the target be re-deployed, or replicated.
COBIT Topics: DS6 as outlined by OWASP, ISO 27001 guidelines and NIST information security framework. DENIAL OF SERVICE ATTACKS
Hackers Locked will assess the target to ensure that it is not vulnerable to Denial of Service Attacks.
Examples of these attacks would be Excessive CPU Consumption, Excessive Disk I/O Consumption and Excessive Network I/O Consumption.
Based on the CERT/CC framewwork
OUR RELATED SERVICES
Automated Vulenerability Scanning System
Hackers Locked Vulnerability Scanning System (HLVS) puts the power of advanced security services in your hands through rich functionality, flexibility and ever improving fail-safe capabilities.It is completely browser-based enabling secure interaction and management from any location. HLVS does not require any new hardware or software, in other words seamless integration is the key to this solution.Automated scanning adjustable to your business and customer needs. Automated custom reporting delivers comprehensive results to you without manual intervention right in the comfort of your home or office.
HLVS threat database is updated every day via commercial and open source feeds. This means that you can stay ahead of the hackers and protect your infrastructure and web application from emerging threats.Our threat alerting system wil send you a alert via SMS or Email as soon as a High or Critical issue is discovered. HLVS is a highly scalable solution which can let you scan from 1 to 1 million IP’s with just few clicks.
Security Simplified !
Security Simplified !
