Green Method has devised approach and model for Vulnerability Assessment and Penetration Testing of the applications that ensures that the customer is provided with an accurate and exhaustive snapshot of the state of the information security of IT applications from a technical as well as business stand points.
Green Method would deploy automated as well as manual assessment methodologies on the scope’s Process, Technology and People domains pertinent to the scope of work as detailed here:
Green Method’s Testing methodology is inspired from the SANS’ 4 stage- Reconnaissance, Mapping, Discovery (Vulnerability Assessment) and Exploitation (Penetration Testing) methodology. This conceptual process in combination with the appropriate (about 60:40) mix of Automated: Manual Test Cases ensures the uncovering of deep-rooted security vulnerabilities from both an Infrastructure and Application perspective. We have included the learning and the guidelines stipulated by the Abu Dhabi Information Security Testing Guide in addition to industry best practices.
Reconnaissance is the first step in a Vulnerability Assessment and/or Penetration Test. It is also the most important process of the test. In this phase, GME’s testing team shall perform active and passive reconnaissance of the target system. During our Mapping phase, we identify all the publicly available services running in the target system, or in case of a Web Application Penetration Test, we discover all the pages, files and directories present in the web application environment. Our reconnaissance techniques include performing DNS-based discovery, Port scanning, services discovery and identification of target system and target environment. We also utilize search engine information disclosure techniques like Google Hacking and an attacker of the system would simulate the use of Social networks to gather specific information.
Discovery phase is a critical phase of the Penetration Test. In this phase, GME’s testing team identifies all possible vulnerabilities in the target system. We utilize automated and manual discovery processes to identify the most deep-seated vulnerabilities in the target system. Vulnerabilities in target systems may be the result of flawed coding practices, non-secure configuration practices or lack of user awareness (in case of Social Engineering attacks).
During web application Penetration Tests, we also perform Business Logic Security Testing that identifies business logic flaws that are not identified by any tools or automated vulnerability scanning tools.
Exploitation phase is the phase, where GME’s testing team launches exploits against the target system based on the vulnerabilities discovered in the discovery phase. Our exploitation techniques are predominantly manual, with a healthy combination of automated exploit tools at our disposal. Our proof-of-concept exploits are aimed at providing a comprehensive understanding of the vulnerabilities and the potential effect of these vulnerabilities manifesting in the target system
The final phase of the Vulnerability Assessment and/or Penetration Test is the Analysis and Reporting. In this phase, GME’s testing team will develop the Vulnerability Assessment and Penetration Testing Report. The testing team will analyze and interpret the results of the test. Based on the understanding of the target system, the risk ranking of High, Medium and Low will be populated with the findings of the test and subsequently, the report is delivered to the client. The following shall be included in each report