Penetration Testing


At stratsec we provide specialist application, operating system and infrastructure level penetration testing services. We also support the compliance requirements of companies with internal penetration testing teams by auditing the processes followed against industry best practice.

The stratsec penetration testing team provides the full range of penetration testing and vulnerability assessment services to simulate a malicious attacker, while providing specific management and quality assurance processes to ensure the process and any impact is controlled and managed. As our senior technical personnel are qualified software engineers as well as IT security professionals, we are able to provide a level of specialisation and differentiation in the testing of security for non-standard systems including: legacy systems, midrange/mainframe integration, proprietary protocols/encoding, thick and thin client systems, and other system types where automated testing is not possible.

stratsec has aproven track record in penetration testing, providing these services to more than half of the 20 largest listed companies in Australia, as well as local, state and federal government agencies. Our penetration team also supports a number of financial institutions with regional headquarters in Asia. 

Our penetration testing team is internationally recognised, with stratsec penetration testers presenting at industry conferences including: RUXCON, OWASP and AusCERT (Australia); BlueHat (Microsoft, USA); EUSecWest (UK); Power of Community (Korea); and XCon (China), Hack in the Box (Malaysia) and the Information Security Summit (Hong Kong and NZ).

The following differentiates our capability from our competitors:

  • Vendor neutral. We are not committed to using testing products from any one vendor, but rather uses ‘best of breed’ tools - the same toolset a true attacker would use. When required, our technical staff can develop custom exploit code in an attempt to thoroughly test the security posture of a system.
  • Quality controlled. Our penetration testing services are delivered under an ISO9001 accredited quality system.stratsec is strongly committed to the delivery of the highest quality penetration testing services from the stratsec Board and across all employees. We understand that our pursuit of excellence can only be realised through a stringent project and quality assurance processes.
  • Standards based. Our penetration testing services meet current security best practice. stratsec security testing methodologies are based on local and international security standards and guidelines, and current risk management practices. We are constantly working on our methodologies and capabilities ensuring that our approach and techniques are aligned with current best practice and the latest exploits and exposures.

 

 

Application-level security testing
Application-level security testing is targeted on business applications hosted on organisation-owned or outsourced ICT infrastructure. Targets for application-level security testing include in-house and commercial off the shelf applications, these include:
  • web applications and services,
  • client-server applications,
  • expert and bespoke applications, and
  • mainframe applications.
Operating system security testing
Operating system security testing is targeted at the operating system level and includes testing of operating system components from the complete range of commercial, open source and specialist operating systems on a range of platforms including mobile devices.
Key components tested include:
  • OS kernel,
  • networking protocols, and
  • services, executables and drivers.
Infrastructure-level security testing
Infrastructure-level security testing is targeted against ICT infrastructure and facilities supporting the delivering of business services. Targets for infrastructure security testing include:
  • Internet-facing infrastructure,
  • internal fixed network infrastructure,
  • wireless infrastructure,
  • server infrastructure,
  • end-user computing equipment, and
  • other special purpose infrastructure such as mainframes, storage area networks and cloud computing environments.


Contact us if you are seeking to test the security of your web application, critical internal system, legacy or SCADA system, or network infrastructure environment.

 

For more information contact our penetration testing leader:

Nick Ellsmore
CTO
stratsec
P: +61 2 9237 7276