Application Security Audit
We’ve all heard the stories of businesses’ data being held ransom, or businesses reputations being destroyed due to customer information being obtained. These are not the worst-case scenarios though. High-profile security breaches could result in you closing your business’ doors. We are here to make sure this does not happen to you.
Approach And Methodology
Our Application Security Audits comprise of 2 main security concepts: Penetration Testing and Vulnerability Testing.
- Penetration testing involves assuming the role of a cyber attacker with the intent of breaking in and gaining access by means of exploiting system vulnerabilities and technical oversights in the implementation.
- A vulnerability assessment aims to identify any security weaknesses in a system that is commonly known and exploited. During an assessment, methodologies similar to penetration tests are employed with a clear focus on finding known vulnerabilities.
Deimos performs automated security testing as well as manual testing as part of all its security packages. Performing an automated security assessment first allows the team to catch all low-hanging fruit, before focusing on more complex attack vectors. Most often, the real value comes from manual testing.
Below are various steps performed as part of an Application Security Audit:
- Inspect Application
- Run Automated Scans
- Review Scan Results
- Perform Manual Testing
- Review Test Results
- Compile Findings into a Security Audit Report
- Review the Security Audit Report with you, the client
Key Deliverables from a Cloud Security Audit
Assessment Report
At the end of each assessment, Deimos will share a password protected report outlining each vulnerability, it’s severity, evidence of the existence of the vulnerability, the risks associated with it and recommendations on how to address it.
Assessment Workshop
Deimos will also schedule a workshop with the Deimos Security team to discuss the findings and recommendations in more detail.
Assistance
Deimos can offer the services of it’s Software Architects, Security Engineers and Software engineers to assist with fixing the issues outlined in the report. This will be done on a time and material basis.
For a more in depth look at how we conduct a cloud security audit, please download an example assessment report below!
Pricing
Our pricing is based around the amount of hours of work we do, which is dependent on your system/application size. Please get in touch for a quote.
Small Systems/Applications (40 hours)
A small system, consisting of a handful of components only. A small system can be easily maintained by a single team of engineers.
Medium Systems/Applications (80 hours)
Ideal for systems consisting of multiple components. The medium system often requires 2 – 3 teams to maintain.
Large Systems/Applications (160 hours)
Ideal for a system spanning multiple domains. Large systems are complex and built up of multiple components, technologies, and frameworks. These systems require many teams to maintain and often require a lot of effort to coordinate.
Process
Below we have outlined the steps and process we take in each audit. This will give you an idea of the way in which we work on your system, and with you.
Project Kickoff
The Security Audit starts off with a project kickoff meeting. This meeting allows us to align on expectations and determine any specific areas you, the client, wants us to focus on. This session is also used to get a good understanding of the business and its use of technology.
Discovery
The Discovery sessions are used to gain a better understanding of the various systems at play. Discovery sessions are extremely important to any closed-box testing. It provides us with an opportunity to fast-track our understanding of the systems under attack.
Assessment
This is where the magic happens. During the assessment step, our security and infrastructure engineers perform a review of your systems in the hope of surfacing any security issues and/or concerns.
Reporting
We compile our findings into a well-written report. We always include recommendations on how to address any issues we raise.
Review
We will review the report together. Our Security Engineers will explain our findings in detail and facilitate any conversations about potential remediations.