Security testing is the art of utilizing offensive testing techniques to verify the effectiveness of existing security controls and verifying the full impact of any identified vulnerabilities should they be exploited by a malicious attacker.
Different offensive testing techniques can be used depending on your organization’s security objectives. These techniques range in scope and coverage from initial vulnerability assessments, which have a bigger focus on breadth of coverage, to penetration testing which are a more in-depth examination of specific assets (such as web applications, networks or mobile applications). Penetration testing then leads onto and forms part of larger, more complex and in-depth attack simulations which span multiple domains of information security (people, process and technology) to identify vulnerabilities across the organization.
The BSI Security Testing Maturity Framework (outlined below) can be used to help identify the most effective security testing level for your organization. The framework marries the security maturity of an organization with its appetite for risk to identify the optimal level of testing and provide the best return-on-investment.
We can provide many of these services through our security testing practice, including:
- utilizing tools and techniques which are designed to identify and classify vulnerabilities before applying consultant knowledge to verify identified vulnerabilities and apply context for prioritization
- using manual testing techniques along with some automated processes and tools to assess the security posture and identify any security vulnerabilities which may be present in specific assets, for example, networks, web applications, mobile applications and internet of things devices
Attack Simulation Assessments:
- Red Team testing (offensive assessments), attacking the whole organization across multiple domains (people, process and technology)
- Blue Team testing (defensive assessments), coaching and assessing response team activities versus best practice or organizational key performance indicators (KPIs)
- Purple Team testing (offensive and defensive), with one team performing offensive attacks whilst assessing, and in some cases coaching, the defensive teams' ability to respond to the attacks