// Slime Mold

Penetration Testing

Penetration testing is a proactive cybersecurity service where tactics, techniques, and procedures (TTP) of malicious adversaries are employed to simulate real-world attacks on a company’s environment. This in-depth engagement goes beyond vulnerability assessment by incorporating manual testing by security engineers, ensuring a thorough analysis that automated tools might overlook. The process sticks to standards like OWASP ASVS and  MITRE ATT&CK®. Upon completion, a detailed report is provided, highlighting vulnerabilities, their NIST CVSS, associated common vulnerabilities and exposures (CVE) from the MITRE ATT&CK® framework, and recommended mitigation steps.

Testing Scope

Defining the scope of a penetration test is crucial for understanding the target application or network environment. This involves specifying target URLs, network equipment, and API endpoints. In scope meetings for web application testing, security engineers seek a brief overview of the application’s functionality. While they may pose questions, the aim is to enhance testing efficiency. Since clients use the application daily, they can guide testers to prioritize critical areas. The same principles apply to network penetration testing, where engineers might request network architecture details and prioritize testing based on the criticality of the services hosted. Scope meetings typically last 1 to 1.5 hours, contingent on the target and client’s testing requests.

// branched into 2 methodologies
Web Application Penetration Testing

Providing proactive web application penetration testing using the OWASP ASVS framework, ensuring your application's security against prevalent attacks before occurrence

Network Penetration Testing

Network penetration testing assesses various network assets for vulnerabilities using the MITRE ATT&CK® standard, leveraging expert insights to bolster security and deliver detailed findings reports

Report

Post-test, clients receive a detailed report encompassing identified vulnerabilities, their associated risks, technical reproduction steps, and mitigation recommendations. Critical issues prompt immediate client notification for swift remediation. The report comprises:

This section offers a strategic overview tailored for C-suite executives and non-technical stakeholders. It encapsulates the overarching security landscape, emphasizing the threat vectors explored, the severity distribution of identified vulnerabilities, and potential business implications, all while aligning with industry benchmarks and compliance standards.

Employing a dual-evaluation approach, vulnerabilities from web applications are assessed using the OWASP Risk Rating Methodology, which factors in threat agents, attack vectors, and technical impact. Concurrently, network vulnerabilities undergo evaluation via the NIST CVSS Calculator, a globally recognized standard that quantifies the severity based on metrics like exploitability and impact, thereby providing a holistic view of the organization’s cybersecurity posture.

This segment delves deep into the technical anatomy of each vulnerability. It elucidates the underlying weaknesses, potential attack pathways, and the ramifications if exploited, contextualizing the threat in terms of the CIA triad (Confidentiality, Integrity, Availability) and potential adversarial motivations.

Beyond mere identification, this section furnishes empirical evidence of the vulnerability’s exploitability. It provides a step-by-step walkthrough, showcasing techniques like payload injections, crafted scripts, or manipulated HTTP responses, thereby validating the existence and exploitability of the vulnerability within the tested environment.

Recognizing that identification is only half the battle, this section is dedicated to fortifying the organization’s defenses. It prescribes tailored countermeasures, best practices, and patching strategies, ensuring not just remediation but also future resilience against similar threat vectors. This guidance is aligned with industry frameworks like SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53) and ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection (ISO/IEC 27001), ensuring a robust and compliant security posture.

 

// 2021

OWASP Top 10

94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.

Previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise.

94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.

Is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.

This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.

Previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.

Is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.

This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.

The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.