What is a security audit?
Security audits complement penetration tests because they add an additional layer of assessment on technical aspects such as the source code, system and network configuration, and other documentation that attackers do not usually have access to. These services make it possible to discover security loopholes that have strong and lasting impacts but are difficult to identify in “black box” mode.
The results of these services allow SSL247® to provide you with specific recommendations (and a corrective patch for a source code audit, for example, if required), and give you information on the state of your tested applications, system and network security.
We offer the following security audits:
Our security audits
A configuration review assesses the security of one or several specific devices on your network and how they are configured/integrated.
Our specialised consultants will aim to identify any differences between the security configuration of your components (such as the server, workstation, database, specific applications, etc.) and existing security best practices.
This review includes:
- A targeted and comprehensive identification of inconsistencies and faults that expose the platform to a security risk.
- The identification of weaknesses and assessment of associated risks.
- The creation of a remediation plan to upgrade the security level and configuration of components, including precise and targeted proposals tailored to your needs.
An SSL247® configuration review is divided into two phases
Phase 1: Understanding the context and usefulness of each element
- This provides an overall understanding for the auditor and thus provides context-specific results.
- This phase can include the analysis of documentation and interviews with technical teams for a more comprehensive review.
Phase 2: Vulnerability analysis: All equipment services are verified and each configuration element is analysed
- Updates for each service are systematically verified.
- Particular attention will be paid to all security mechanisms, whether in action or not (data encryption, analysis of the anti-virus system, etc.).
A configuration review can be adapted to any type of environment, including: servers/workstations (Windows, Unix, etc.), database servers, application servers, network equipment (filtering rules), telephone equipment (PABX, IPBX, SVI...), and mobile terminals..
Our consultants are able to produce security enhancement guides and provide your teams with resources enabling them to employ best practice methods on any type of technology mastered by SSL247®.
We can also develop regular verification scripts ("compliance checks") that cover a broad scope and ensure the security of your configurations in the long run.
Our configuration reviews will provide you with a full range of implications to your business (from management procedures to technical implementation).
Source Code Review
A source code review is the most comprehensive service that can be conducted on an application, as it can fully detect the vulnerabilities affecting any application by examining the source code.
This type of review requires the provision of the source code itself and additional related documentation. Interviews with developers and architects can also be conducted for a more comprehensive review.
Extensive Application Research
A source code review makes it possible to go beyond the vulnerabilities that are detectable in a black box mode test (notably during an application penetration test). This is because a source code review can find weak points within the internal mechanisms, such as the lack of encryption and best practices in development, as well as weaknesses in authentication, traceability and logging processes. Being able to detect and correct these weaknesses can significantly increase the overall level of security of your application.
If necessary, we are also able to validate compliance with the regulations in force (rules imposed by PCI-DSS [encryption, etc.], requirements of the regulatory authorities, compliance with legal requirements for public websites...).
Complementary Penetration Tests
With this type of review, we can perform a complementary application penetration test in order to combine the two approaches and obtain the most comprehensive results possible.
Security Architecture Review
This technical review involves an accelerated analysis of the targeted technical architecture, based on the information and elements provided. It does not cover the use of technical controls on systems, but takes into account technical hotspots and the initial action plan procedures.
Identification of needs and analysis of the existing situation
This is usually carried out through interviews with business, technical (production and engineering) and organisational (safety) teams.
These meetings will establish the requirements of each department that can then be analysed against the security design and existing protection mechanisms.
Inventory of results
Analysis of the test results (including penetration tests) and identification of the major risks associated with the current architecture.
Presentation of best practices and feedback
This includes documentation and procedures on an organisational (process, strategy), operational, administrative and architectural level.
Security Audit Reports
Our reports are much more than a simple list of vulnerabilities generated with an automated tool. From the methodology and strategies employed to the traces of information, our reports provide as much information as possible, enabling your teams to understand and replicate the exploitation or verification of all identified vulnerabilities.
Why choose SSL247®?
SSL247® have accredited experts with over 15 years' experience in the security industry and have achieved a variety of accreditations, including the EMEA Symantec Champion Award 2017 and ISO 9001:2015 and ISO 27001:2013.
Responsive and flexible
Our accredited security consultants and certified pentesters are here to respond and advise you on the most appropriate approach to follow.
All our consultants and auditors are regularly trained by third-party organisations to be kept informed about the latest vulnerabilities and attack techniques.
Our consultants hold the following certifications, amongst others: OSCP (Offensive Security Certified Professional), OSCE (Offensive Security Certified Expert) and OPST (OSSTMM Professional Security Tester).