Security audits
Security audits organised by certified experts
What is a security audit?
Security audits complement penetration tests because they add an additional layer of assessment on technical aspects such as the source code, system and network configuration, and other documentation that attackers do not usually have access to. These services make it possible to discover security loopholes that have strong and lasting impacts but are difficult to identify in “black box” mode.
The results of these services allow SSL247® to provide you with specific recommendations (and a corrective patch for a source code audit, for example, if required), and give you information on the state of your tested applications, system and network security.
SSL247® offers the following security audits:
Configuration Review
An extensive security audit of switches, routers and other critical devices on your network.
Source Code Review
The most comprehensive audit to identify vulnerabilities in the code of your application.
Security Architecture Review
An audit to identify the strengths and weaknesses of your information system’s architecture and security.
Which solution is best for your organisation ?
Our PenTesters designed a questionnaire to determine the best security solution for you.
Security audits proposed by SSL247®
Configuration review
What is a configuration review?
A configuration review assess the security of one or several specific devices on your network and how they are configured/integrated.
Why carry out a configuration review?
Our specialised consultants will aim to identify any differences between the security configuration of your components (such as the server, workstation, database, specific applications, etc.) and existing security best practices.
This review covers the following:
Targeted and comprehensive identification of inconsistencies and faults that expose the platform to a security risk.
Identification of weaknesses and assessment of the associated risks (such as the risk and safety impact or attack complexity).
Creation of a remediation plan to upgrade the security level and configuration of components, including precise and targeted proposals tailored to your needs.
The different steps of a configuration review
The methodology of a configuration review can be adapted to any type of environment, including: servers/workstations (Windows, Unix, etc.), database servers, application servers, network equipment (filtering rules), telephone equipment (PABX, IPBX, SVI...), and mobile terminals. Our consultants are able to produce security enhancement guides and provide your teams with resources enabling them to employ best practice methods on any type of technology mastered by SSL247®.
We can also develop regular verification scripts ("compliance checks") that cover a broad scope and ensure the security of your configurations in the long run.
Our configuration reviews will provide you with a full range of implications to your business (from management procedures to technical implementation).
The service is divided into two phases:
- Phase 1: Understanding the context and usefulness of each element
- This provides an overall understanding for the auditor and thus provides context-specific results.
- This phase can include the analysis of documentation and interviews with technical teams for a more comprehensive review.
- Phase 2: Vulnerability analysis: All equipment services are verified and each configuration element is analysed
- Updates for each service are systematically verified.
- Particular attention will be paid to all security mechanisms, whether in action or not (data encryption, analysis of the anti-virus system, etc.).
Source Code Review
What is a source code review?
A source code review is the most comprehensive service that can be conducted on an application, as it can fully detect the vulnerabilities affecting any application by examining the source code.
Why carry out a source code review?
Prerequisites
This type of review requires the provision of the source code itself and additional related documentation. Interviews with developers and architects can also be conducted for a more comprehensive review.
Extensive application research
A source code review makes it possible to go beyond the vulnerabilities that are detectable in a black box mode test (notably during an application penetration test). This is because a source code review can find weak points within the internal mechanisms, such as the lack of encryption and best practices in development, as well as weaknesses in authentication, traceability and logging processes. Being able to detect and correct these weaknesses can significantly increase the overall level of security of your application.
Regulation Compliance
If necessary, we are also able to validate compliance with the regulations in force (rules imposed by PCI-DSS [encryption, etc.], requirements of the regulatory authorities, compliance with legal requirements for public websites...).
Security Architecture Review
What is a security architecture review?
This technical review involves an accelerated analysis of the targeted technical architecture, based on the information and elements provided. It does not cover the use of technical controls on systems, but takes into account technical hotspots and the initial action plan procedures.
Why carry out a security architecture review?
This review is composed of :
Identification of needs and analysis of the existing situation: This is usually carried out through interviews with business, technical (production and engineering) and organisational (safety) teams. These meetings will establish the requirements of each department that can then be analysed against the security design and existing protection mechanisms.
Inventory of results: Analysis of the test results (including penetration tests) and identification of the major risks associated with the current architecture.
Presentation of best practices and feedback covering: organisation (process, strategy), operation, administration and architecture, documentation and procedures.
Detailed and comprehensive reportsOur reports are much more than a simple list of vulnerabilities generated with an automated tool. From the methodology and strategies employed to the traces of information, our reports provide as much information as possible, enabling your teams to understand and replicate the exploitation or verification of all identified vulnerabilities. |
|
This service may also interest you:
Why choose SSL247®?
SSL247® has over 12 years of experience and expertise in the web security industry and numerous accreditations such as the EMEA Symantec Champion Award 2017 and the certification ISO 27001:2013.
n addition, our in-house team, specialised in security evaluation, penetration testing and security audits, is composed of certified and recognised experts in the field of security, and hold qualifications such as: OSCP, OSCE and OPST
Get in touch
For more information on how our Security Audit can benefit your business, get in touch with one of our friendly accredited consultants for no obligation discussion: