Pentests & Security Reviews

The security baseline: I offer to test and improve the security of your applications by applying offensive hacking techniques (used by malicious intruders) in a way to search for and evaluate security holes during an individual manual blackbox pentest. All kinds of attacks used in my training courses will be tested as well as many more specialized vulnerabilities.

A less complex alternative: To have a recurring and quick evaluation of rather common security checks, I offer to use my individually configured and customized toolchain to scan web applications (with manual result verification to rule out false positives). This semi-automated solution doesn't meet the quality of a manual pentest, but still catches the easier to find vulnerabilities quickly and efficient.

A more individual alternative: Whitebox analysis of your software allows for the best application hardening and pentesting results. During such a security review I will conduct a workshop with members of your development team and discuss lots of security topics related to your architecture. My detailed question list, based on my developer and pentester experience, will adress and assess important security aspects of your software.

Every type of security check offered includes a detailed report of found and priority-rated issues along with countermeasures and tips to further harden your application. All checks can be executed remotely (via Internet or VPN) as well as onsite. Just send me a mail in case you wish to receive more detailed information.

I offer different kinds of services to test and improve the security of

  • web applications,
  • application server infrastructures,
  • REST & SOAP service endpoints,
  • (mobile) APIs and
  • wireless networks.

Blackbox Pentest

An individual blackbox penetration test is the type of security check that generates a security baseline for your applications: Offensive hacking techniques used in manual attacks against a (web or rich-client) application typically reveal the security holes attackers would exploit in a real world scenario.

This kind of security check can be executed with no or minimal prior knowledge of the underlying software system. While theoretically possible to check live production systems, a pentest yields best results when executed on a test environment.


Recurring Web Scan

This kind of security check detects rather common security vulnerabilities in a web application, while being quick and effective. Semi-automated scans using an individually configured and customized toolchain are augmented by certain manual checks. A subset of the scan is even safe for live production systems, when providing a testsystem would be too much effort.

As more specialized security holes or chained issues cannot (by design) be found solely by using tools and scanners, it is best to execute the web scan on a recurring basis after an initial blackbox pentest was already executed.


Whitebox Security Review

To obtain an in-depth security assessment and tips relating to the architecture of your software system, a whitebox security review checks for many aspects of secure software development.

This review begins with a workshop with the key players of your software development process: the developers! Based on my combined experience as a Java software developer and pentester I will check and discuss lots of security related aspects of software development with your team. These topics range from the overall architecture, to inspection of source code samples.