Today, one of the weakest links in the corporate security chain is the security of web applications and web services. Although the application frameworks used for developing web applications such as .NET, JEE, PHP, etc. have become more secure than before, the most serious security vulnerabilities emerge at the application layer. With Enforsec’s web application penetration test service, it is aimed to find both syntactic and business logic vulnerabilities that can be found in web applications and to provide solution suggestions. Enforsec uses the OWASP Testing Guide and Web Application Security Checklist as its web application penetration test methodology.
With the popularity of smart devices, the use of mobile applications has also become widespread. The download numbers of mobile applications in the application markets have long exceeded billions, and the fact that these applications are less secure than their web versions is definitely not an acceptable situation for many corporate companies. The audit of mobile applications includes both classic web application audits and detailed client-side (mobile application) code analysis.
Mobile penetration tests aim to identify security vulnerabilities in native and hybrid mobile applications on mobile platform applications, primarily Android and iOS, as well as Blackberry and Windows Mobile, and present solution suggestions.
The most definitive form of audit that can be done on applications is software source code analysis. In this audit, the source codes of the target software are subjected to automatic and manual inspection within a certain period of time. Source code analysis can reveal hard-to-find business logic security vulnerabilities as well as security problems that can arise in classic web/mobile application audits. With source code analysis, stability and performance problems that can indirectly affect security are easily found along with direct security vulnerabilities. With source code analysis, it is aimed to examine the codes both automatically and manually and to present the problems together with solution suggestions. Enforsec takes the OWASP Secure Coding Practices and OWASP ASVS projects as the basis for its source code analysis methodology.
At the present time; transmission, processing and storage of information has vital importance. With network security audit, it is aimed to find vulnerabilities in the components that make up the IT infrastructure used to transmit information for institutions (servers, user computers, network devices, etc.) and to present solution suggestions.
It is aimed to reveal the security problems of applications (SCADA) used in the management and monitoring of critical infrastructures such as production and distribution systems of institutions, and to provide solutions with an industrial IT perspective.
Databases are at the forefront of the ultimate target points of attackers because they directly host sensitive data within the institution. Even though they are not open to remote access and are hosted in isolated environments, they are exposed to attacks that can be made through application layers and corporate internal networks. With database security audits, it is aimed to reveal security vulnerabilities specific to databases and to provide solution methods.
Social engineering tests aim to evaluate the human factor in information security. In these tests, human vulnerabilities such as the adequacy of security policies considering the company’s line of business, the security awareness of employees, and the testing of physical security measures are also detected. During the audits, general social engineering test methods are used, as well as test scenarios specific to the institution and its lines of business.
Within the scope of Wireless Network Penetration Audits; it is aimed to discover wireless networks for specified locations, detect security vulnerabilities that may be found in wireless networks and present solution suggestions.
DoS/DDoS attacks are a type of attack that targets systems or applications to become inoperable. It is one of the types of attacks commonly used by attackers today. The DoS/DDoS tests to be performed will allow customers to measure the resilience of systems or applications to DoS/DDoS attacks and provide solution suggestions that will contribute to the resolution of the problems found.