Penetration Testing

Security Testing Capabilities of SQ.
SQ is an expert in Security Testing, we improve security infrastructure with continuous security testing, well integrated with Agile and DevOps environments to cater to continuous delivery pipeline and short release cycles.
SQ vulnerability assessment techniques and penetration tests ensure application risks are minimized.
SQ can help you develop a Security Testing strategy, implementation blue print and also provide the tools, people and methodologies to perform security testing. We are a team of 5+ certified and trained security testing experts, ethical hackers and code analyzer's with expertise in multiple industries/domains who use cutting-edge technological tools/resources for security testing.

Service Introduction

Security Testing is an integral part of any organization due to increase in number of sophisticated digital attacks targeting digital systems of companies, the threat to data, IP and privacy breaches. Considering the compliance penalties, litigation costs and loss of customer trust arising out of such attacks, the scenario becomes extremely grave.
At SQ, we understand the need & importance of Security in the overall test strategy and adopt robust testing methodologies to address client’s needs. Security testing has to be tightened even further with the vast adoption of mobility, virtualization and cloud platforms.
Security testing Methodology:

1.Internal Penetration Testing:
An internal pen test is performed to help gauge what an attacker could achieve with initial access. An internal pen test can mirror insider threats, such as employees intentionally or unintentionally performing malicious actions.
SQ shall complete the Internal/Physical Penetration Testing Assessment using the following:
 Internal DNS configuration.
 Identify subnets and network architecture.
 Systems enumeration.
 Default or weak authentication configurations.
 Port scans.
 Identify running services.
 Validate authentication requirements for non-public information.
 Test system patch levels for currency.
 Identify weak protocols used in the environment.
 Conduct vulnerability scans of systems and network devices.
 Conduct scanning for wireless networks belonging to the customer organization and assess any vulnerabilities associated with the service or connected resources.
 Exploit systems when possible.
 Evaluate test results and identify false positives.

2.External /Internet Penetration Testing:
An external pen test is designed to test the effectiveness of perimeter security controls to prevent and detect attacks as well as identifying weaknesses in internet-facing assets such as web, mail and FTP servers.
SQ shall complete the External/Internet Penetration Testing Assessment using the following:
 Search for publicly available information using Internet, newsgroup postings.
 Search domain registration for useful information.
 Retrieve public Domain Name Service (DNS) records.
 Identify systems accessible over the Internet (i.e., web, email, etc.).
 Conduct port scans.
 Identify running services.
 Conduct Simple Network Management Protocol (SNMP) scans.
 Identify operating systems if possible.
 Identify web and email service versions.
 Enumerate systems if possible.
 Attempt to utilize remote access protocols if available.
 Email server analysis (i.e., open relay, anonymous email, etc.).
 Web server analysis (i.e., default configuration, sample scripts, etc.).
 Website and web application analysis.
 Conduct vulnerability scans of systems and network devices.
 Exploit systems when possible.
 Evaluate test results and identify false positives.

Vulnerability Assessment and Threat Modelling
Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.
Perform risk assessments, which will document reasonable and foreseeable threats to the Client Company and as well as controls in place to migrate those threats.
Controls will be tested through sampling to determine effectiveness.
Vulnerability risk assessment and analysis shall include, but not limited to, the following:
 Validate physical security controls around sensitive systems.
 Verify environmental protection against, fire, flood and other hazards.
 Verify antivirus software deployment and maintenance.
 Review user account administration procedures and practices.
 Review firewall filtering rule configurations.
 Validate separation of suited and dual control issues.
 Assess encryption methodologies used.
 Validate controls over software licensing.
 Evaluate data destruction procedures.

Web Application Security Testing
 Black box analysis: Web Application Scanning provides dynamic analysis security testing tools that help to identify vulnerabilities in applications running in production.
 Static Code analysis: Static Analysis provides tools for automated code testing without requiring access to source code, enabling developers to find vulnerabilities in code they write, buy and download.
 Third-party software analysis: Software Composition Analysis helps identify vulnerabilities in open-source and commercial code in third-party components as well as your own software, delivering visibility across your entire application landscape.
 Manual penetration testing: We also offer best-in-class penetration testing services to augment automated web application security testing.
 Injection
 Broken Authentication
 Sensitive Data Exposure
 XML External Entities (XXE)
 Broken Access control
 Security misconfigurations
 Cross Site Scripting (XSS)
 Insecure Deserialization
 Using Components with known vulnerabilities
 Insufficient logging and monitoring

SQ Offerings:
 Security TCoE (Security Testing Centre of Excellence) to offer a wide variety of the best-in-class security testing solutions
 Infrastructure, Web services / API security testing
 Data security validation and testing of role-based authentication/authorization
 Mobile security testing (hybrid and native apps, mobile web). Wearables security testing
 Web application security testing (penetration testing, secure code analysis, vulnerability management)

SQ Differentiators
By leveraging our accelerators and frameworks, you can derive several qualitative and quantitative benefits:
 Affordable and easy-to-adapt security solutions, thus making security affordable for every type of business
 Use of open source and commercial tools for security testing automation
 Cloud-based security testing services
 Centralized tracking and reporting for compliance
 TCoE for quick fixes of problems and early detection of vulnerabilities that reduce risk
 Reduced expense on managing breaches and their consequences
 A varied repository of security test cases to check vulnerabilities
 Manual analysis and verification to eradicate false positives