Penetration Testing
Validating Your Application Security Controls
With the evolution of technology making perimeter access devices more secure and the rise in the sophistication of e-business-focused attacks, the security focus has shifted to the next battlefront—applications.
Application security involves checking an application's security controls, not the operating system or device that hosts the application. The security review directly relates to the custom-developed or built applications compared to other commercial applications. Application security testing does not involve looking at hosting software like web servers but focuses on the application software itself.
This specialized form of penetration testing utilizes automated and manual testing strategies designed to assess the development efforts of web-based applications. Assessments can be executed using black-box methodologies from an attacker’s point of view or white-box strategies by reviewing source code and developing threat models. Lares® believes that white-box source-assisted testing provides the most value to our clients, as many vulnerabilities are more easily discovered with the source code.
Web
As most organizations have a mature external network perimeter, attackers have turned to application vulnerabilities to find a way into companies. Lares goes beyond the automated scans to manually dig into web applications, finding the deep and more severe flaws that a scanner will never find, such as privilege escalation, logic flaws, and encryption implementation issues.
Mobile
Mobile applications add an extra attack surface for companies to protect. Lares dives deep into iOS and Android applications, analyzing local storage, transport security between the application and the web service, local database use, and the application runtime environment, including hooking the application to bypass protections.
Source Code Reviews
Lares will manually scour the application's source code and run analyzers to identify weaknesses in the code. This process is also known as Static Application Security Testing (SAST). An intelligent approach is taken by first focusing on security-critical features such as authentication, authorization, and encryption and moving outward from there.
Architecture and Configuration Review
Reviewing the design, architecture, and configuration of applications early on in the process can eliminate many vulnerabilities before they reach the production environment. Lares can help with the application design process and ensure that the environments they’ll be deployed are implemented securely. This is achieved by reviewing the proposed architecture and design for an application and comparing that against security best practices.
Cloud Infrastructure
As companies turn to the cloud for cost savings, they must be aware of the risk and exposure this can cause. The use of the cloud is not inherently dangerous. Still, due care must be taken to ensure the service is implemented and configured correctly using best security practices, much like any on-premise system. Lares is familiar with the most popular cloud services, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Lares can help companies ensure that these environments are configured correctly to protect their users' data from attackers.
Embedded Systems
Embedded systems, such as ATMs, Point-of-Sale (POS) systems, and other similar systems, often run scaled-down, customized, or proprietary Operating Systems. A breach of these systems can seriously affect the company and their customers. Testing these systems requires a particularly special set of skills to look at the system as a whole, from both the hardware, network, and application layer. Lares is well versed in performing these types of assessments with our team of specialists.
Internet of Things (IoT)
Internet of Things (IoT) devices are the latest hotness for both consumers and corporate users. Though they provide value and efficiency to their users, they also expose the network to additional attack surface and complexity. Testing these systems requires a particularly special set of skills to examine the system as a whole, from the hardware, network, and application layers. Lares is well versed in performing these types of assessments with our team of specialists.
Product Security Reviews
Product security reviews are a perfect developmental security step for all manufacturers. This comprehensive review of products will incorporate all levels of the OSI Stack (Application, Presentation, Session, Transport, Network, Data Link, and Physical). Lares security specialists are equipped to review advanced end-to-end products from custom hardware through the applications presented to the consumer. This approach looks at a system as a whole, rather than as only individual components. This review can be used to enhance and fortify the product line as well as be used as a competitive advantage.
DevSecOps
There is a principle that as a bug gets much more expensive to fix the closer it gets to production. Based on this principle, it is advantageous to identify and remediate vulnerabilities early in the development process. Lares works with the development and operations team to identify security gaps in the Secure Software Development Lifecycle (SDLC) and helps the development team integrate security into this process to eliminate bugs as early as possible.
ICS/SCADA
Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems help run our critical systems all over the world. From nuclear power plants to the power grid, these systems play a crucial role in keeping life running as we know it. These systems are typically very old and fragile, making for a volatile combination. The Lares testing team is experienced in how to effectively test these types of systems with care to prevent them from going offline.
Reverse Engineering
On rare occasions, it is necessary to decompile opaque binaries, whether they are malware or closed-source applications that are no longer supported. Lares has the expertise to tear an application apart and analyze it at a very low-level to discover its functionality and true intentions. Where possible, Lares can even modify and recompile these applications to bypass functionality or add additional functionality.
Application Security Staffing
Lares can help design, build, execute, and staff application security teams from the ground up. With the current shortage of highly experienced talent in information security, the Lares team offers access to its extensive network of highly trained application security experts. Each candidate provided will pass a stringent background check and thorough technical review. Each employee will be held to the same stringent standards as all Lares engineers to ensure our staffing equals or exceeds the best of industry providers.
Lares Application Security Assessment Methodology
Some of Our Delighted Customers
"The expertise and professionalism that Lares' Purple Team brings to the table are unmatched. We will definitely be bringing them back for future engagements."
"They wanted to see us succeed as much as we wanted to see us succeed. This is why, 10 years later, we are still having this conversation."
"The biggest benefit of having a Lares vCISO is getting guidance on how to tackle security issues and determining a realistic approach on how to address them."
CASE STUDY: Word & Brown
Using a culture of security as a baseline, Word & Brown achieved compliance because of its security journey — not in spite of it.
Empowering Organizations to Maximize Their Security Potential.
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.
16+ Years
In business
600+
Customers worldwide
4,500+
Engagements