A traditional threat model can take months to complete. Security Compass’s methodology, Threat Model Express, minimizes the time and cost as compared to traditional threat modelling. Compatible with fast-paced development processes such as Agile, we developed this program to reduce month-long threat models into pragmatic results that can be delivered in less than a week.
We work with your teams to review your application architecture, business needs and critical paths, and walk through an interactive exercise with your application team to raise the profile of security. We help development teams consider security during the early stages of the SDLC.
This is an assessment of internal or external facing web applications using anonymous or credentialed testing techniques designed to simulate an attacker’s knowledge of the application. Testing will include a combination of automated and manual techniques covering the OWASP Top 10 web vulnerabilities and includes business logic flaws, authorization, authentication, and more.
This is an assessment of mobile applications for Android and iOS involving the inspection of the mobile application for authentication, authorization, session management flaws, and more. The application programming interface (API) serving the mobile app is often left open on external networks where tampering is possible, so a mobile application security assessment will also be reviewed for API weaknesses.
An assessment of traditional applications that run on desktop operating systems such as Windows. We inspect the application functionality for security concerns relevant to the business use case for the application. Data management, storage, internal and external communication, registry, databases and more are reviewed for security concerns. Where necessary, deep-dive assessments on application vulnerabilities through reversing of the binary can be performed.
A combination of automated and manual review of critical source code components can help identify gaps in coding practices for developers. We can perform this review in tandem with a runtime assessment for a more complete picture. We support source code review in Java, .NET, PHP, and C languages.
Triaging results for static and dynamic analysis requires deep security expertise. Our Consultants integrate with your teams and business processes to help triage vulnerabilities and provide recommendations on how to interpret scan results (e.g., from HP Fortify, IBM AppScan, etc.) – saving you time to focus on higher-level strategic security goals.
An inspection of physical PoS terminals, related hardware and applications. Assessments include reviewing vulnerabilities in the applications, physical security and surrounding infrastructure for the PoS devices. Concerns include transaction management, storage of sensitive data, credit card processing and handling, user management, database management, and restrictions to secure the PoS device.
We perform a combination of automated and manual assessments to assess the security posture of your external or internal network infrastructure. We will assess open ports and services across a given network range to identify vulnerabilities that may be exploited in an effort to gain access into your corporate networks.
Our assessment includes testing for rogue wireless access points and those masquerading as legitimate access spots. Our physical walk-around will seek to identify misconfigured access points and assess the security of existing wireless protocols in use.
A comprehensive review of in-scope devices to ensure optimal configuration and security. We can help you develop and validate security policies and procedures for each device as needed.
Each IoT device requires a risk-based approach that considers its threats. Since every connected device requires different controls, assessment categories can vary, for example: authentication and authorization, cryptographic storage and implementation, input and output validation, cloud validation, secure communications, physical security, and more. We will work alongside your team to understand and identify your key business and technical risks in order to perform the optimal assessments for your specific IoT device.
These are safe and controlled exercises focused on verifying the readiness of the security and network operations teams. The Red and Blue Teams each represent an attack and defense team. A Purple Team can be included in the exercise to integrate the defensive tactics of the Blue Team with vulnerabilities found by the Red Team.
As the Red team infiltrates targets, the Blue team monitors, analyzes and responds to the attack as if in a real attack scenario. Results of these exercises help validate strengths and discover gaps in current response capabilities. The exercise also helps to verify the effectiveness of existing incident response and security monitoring devices.
We perform assessments of physical offices and hardware installed in public areas to help you identify security gaps and weaknesses. Remediating these issues will lower the risk of an intruder breaking into a physical office, or tamper with proprietary hardware installed in a public location.
Employees can be a major weakness to enterprise security. We can design one-off custom phishing simulations to help you identify security awareness gaps within targeted business units, regions, or across the entire organization. The results will help provide management with insight into the overall effectiveness of your security awareness program.
You’re different, and we know it.
We are your guide to planning, assessing, and helping you build secure information systems to keep your business productive.
Contact us to find out how we can help you.