---

Application Security Assessment

Data breaches can expose private information, compromise customer relationships, and cause extensive financial harm to companies and their customers. Yet stories of malicious attacks on major corporations, including banks, lenders, and retailers continue to make the news on an almost-daily basis. Web applications can be especially ripe targets for attackers. However, with regular penetration testing and assessments by experienced professionals, you can identify and address vulnerabilities before they harm your business or its customers. Black Arc Security’s Application Security Assessment Services provide an added layer of protection for your web applications.

Why Black Arc Security?

Our experience, professionalism, and personal service set us apart. Black Arc’s founders each have over a decade of experience in application security, and each of our consultants has a background in software development as well as penetration testing. This gives us an edge in application assessment that you won’t find with many other security providers. As a boutique security firm, we can also provide more competitive pricing than some other companies, with a very high level of quality. Finally, we pride ourselves on being a high-touch company. Throughout your Security Assessment, we will communicate with you on a regular basis through status reports, conversation, and questions. Feel free to reach out to us at any time — even after the engagement is complete. We look forward to hearing from you.

Our Process

Over the years, we’ve established a proven process for Application Security Assessment. It begins with learning about your business and the nature of the application in scope, and is followed by a complete assessment to find the security issues affecting your application. Here’s how it works:

1. Pre-Assessment Meeting

Before we begin your project, we’ll set up a meeting or conference call to review your application, discuss key details and goals, and answer any questions you may have. We’ll go over our testing procedures with you, talk through your requirements, confirm the scope of work, and gather any credentials and assets required for testing. A running application is required for our testing, so a suitable environment for testing and tester access will be discussed.

2. Discovery

Once the test environment and access is confirmed, our next step is to walk through your application manually, familiarizing ourselves with how it works. At this stage, we’ll consider the application’s architecture, functionality, user access levels, and goals. We will also assess the sensitivity of the data that your application processes.

3. Automated Testing

We spend the majority of our time performing manual penetration testing — but we also take advantage of the latest automated scanning technologies, to provide you with comprehensive test results. Using advanced scanning tools such as Qualys WAS, AppScan, and Burp Suite Pro, we will conduct automated vulnerability scans of your entire application. We test at the network level, examining your infrastructure, and at the application level. This two-part process includes unauthenticated testing (user is not logged in), and authenticated testing (user is logged in with a username and password). Because automated scanning tools often highlight false positives, we will scrutinize automated reports by hand, removing inaccurate items and focusing only on true vulnerabilities.

4. Manual Testing

With decades of combined experience, our consultants know exactly what to look for — and we’ve compiled checklists of items to review. These checklists cover the key components of web application security testing, but it is by no means exhaustive — nor is it meant to be. At Black Arc Security, we take a customized approach to manual penetration testing. We begin with the checklists, and then expand our “net” to search for any additional security issues. Manual testing includes the following issues, among others:

• OWASP Top Ten
• Session Handling
• Authorization Deficiencies
• Business Logic Flaws
• Configuration Issues
• Error Handling Controls
• Data Privacy and Integrity Controls
• Data Validation and Sanitization
• Password Management
• Injection Based Flaws
• Secure Channel Enforcement
• Service Configuration and Security

Once we identify potential security issues, we attempt to exploit them, just as a malicious attacker might — but we do so only with the intent to address vulnerabilities and assess the threat level. All exploitation is performed in a secure, confidential environment, with the client’s prior authorization.

5. Reporting

When our testing is complete, we will provide you with a full Web Application Security Report detailing all automated and manual penetration testing findings, including steps to reproduce. Vulnerabilities identified and an overall security risk exposure rating will be provided. We will prioritize each vulnerability with a severity rating and make recommendations for remediation, including clear and concise action steps. In addition, we will provide Security Best Practices, to help prevent future vulnerabilities.

Beyond the printed report, our web application security professionals will also provide you with a personal consultation, walking you through results and answering any questions.

6. Plan of Action / Follow-Up

Once you have had time to review our report, we will follow up with a meeting to discuss what the results mean, and provide guidance in addressing potential vulnerabilities. We will prioritize security issues based on potential customer and business impact, evaluate the risk of resolving issues, and assist you in determining which issues may require action. As your development team works to resolve problems, we invite you to reach out to us with any questions you may have.

7. Optional Code Remediation

If you choose to work with your own developers to resolve code issues, we will provide you with all the information needed to do so. We can also provide optional code remediation for customers who request this service. If you select this additional service, we will travel to your site and remediate your code for you.

8. Remediation Support

As security issues are resolved, you can rely on the Black Arc team to provide you with skillful support and consulting.

9. Re-Testing

Following remediation, we provide unlimited remediation testing within six months of the original penetration test. This helps to ensure all issues are resolved.

10. Post Assessment Support

Even after your application is tested, you may wish to call on us for periodic support following significant updates or changes. We are here to answer any questions about how future changes my affect your application security.

Contact us to learn more

---

Secure Code Review

Users never consider it. Software buyers rarely examine it. And even programmers may miss flaws in its implementation. Your application’s source code is the most important aspect of your software that users will never see — yet it’s critical in protecting their security. Code review has been called the single most effective technique for identifying security flaws. At Black Arc Security, our experienced code analysts use a combination of manual and automated techniques to carefully examine your application’s source code and identify vulnerabilities that could compromise user data and harm your company’s reputation. Then, we provide you with detailed reporting and guidance to help your developers eliminate flaws and reduce security risk, resulting in strong, sound, self-defending source code.

What is Secure Code Review?

Secure Code Review is a thorough review of an application’s source code in order to identify security-related weaknesses and provide direction to resolve flaws or weaknesses in the code.

Why is Secure Code Review Necessary?

Malicious attacks are on the rise, and your application’s code is a common target. Many factors can lead to coding flaws, including re-use of existing (flawed) code by developers, increased connectivity of applications, demanding developer timetables, and a lack of security training and focus in the development environment.

Why Black Arc Security?

At Black Arc Security, we have decades of experience in secure code review, and have previously provided services for many of the nation’s leading security firms. Each of our highly skilled code analysts have a background in programming and development, so they understand the syntax and rationale behind the code — and which issues may pose the greatest security risks. We bring a hybrid approach to secure code review, using a combination of commercial scanning tools and manual testing, to provide the most thorough analysis possible. Our deep experience, combined with our boutique size, gives our clients exceptional results at competitive rates.

Our Process

Our secure code review process is designed to identify code flaws that a malicious user could leverage to compromise the confidentiality, integrity, or availability of your application. By finding issues early, and collaborating with development teams to resolve them, it’s possible to significantly reduce vulnerabilities in your application — with the goal of eliminating all code flaws. Here’s an overview of our process:

1. Pre-Assessment Meeting

We will meet with you and your development team, and conduct a preliminary consultation before beginning the code review. In this meeting we will listen to developers’ goals and security concerns, and identify the code review objectives. By seeking to understand the developers’ approach to authentication, data validation, encryption, and other areas, we can take more informed approach to the engagement. In addition, we will gather any other necessary information or requirements you may have.

2. Discovery

Before we examine the code in detail, we will walk through your application manually, in order to understand how it works. We’ll consider its architecture, functionality, goals, and sensitivity of data.

3. Automated Testing

We will begin with a preliminary scan, using automated tools to scan code and report potential flaws. Because the technology behind automated tools may be limited to certain types of flaws or programming languages, we employ multiple automated review tools to catch a greater variety of potential coding errors. We also tailor our scanning tools in order to get the highest quality scans.

This preliminary scan gives us a good idea of where to focus more detailed review efforts. Automated tools are excellent at assessing large amounts of code quickly and identifying possible issues, but it takes a skilled security expert to interpret and verify these results. Leveraging automation saves time and reduces the cost of code analysis, but it can result in false negatives and false positives. Our coding experts will carefully diagnose, consolidate, and verify all of the automatically generated data in order to prioritize risks and eliminate false readings.

4. Manual Testing

Some code flaws can only be discovered looking directly at the code. That’s why manual review is such an important part of our process. Our experienced code analysts can understand the context for certain coding practices, provide insights into the actual risks posed by insecure code, and provide risk assessments for the likelihood of attack and the business impact of a successful exploit.

During the manual testing process, we will review your code, line-by-line, searching for blind spots and flaws that automated tools may have missed. First, we search for security vulnerabilities that are common to many applications. We will ensure that security mechanisms are in place, and are coded properly. Then, we narrow our focus by looking for security issues that relate to the unique architecture of your application.

5. Reporting

After our analysis is complete, we will provide you with a report that focuses on the soundness of your source code. We will include results in the following key areas:

• Session Handling
• Authorization Deficiencies
• Business Logic Flaws
• Error Handling Controls
• Data Privacy and Integrity Controls
• Data Validation and Sanitization
• Password Management
• Injection Based Flaws
• Insecure Data Storage
• Potential Backdoors
• Race Conditions
• Weaknesses in Cryptographic Functions
6. Plan of Action / Follow-Up

Once you have had time to review our report, we will follow up with a meeting to discuss what the results mean, and provide guidance in addressing potential vulnerabilities. We will prioritize security issues based on potential customer and business impact, evaluate the risk of resolving issues, and assist you in determining which issues may require action. As your development team works to resolve problems, we invite you to reach out to us with any questions you may have.

7. Optional Code Remediation

If you choose to work with your own developers to resolve code issues, we will provide you with all the information needed to do so. We can also provide optional code remediation for customers who request this service. If you select this additional service, we will travel to your site and remediate your code for you.

8. Remediation Support

As security issues are resolved, you can rely on the Black Arc team to provide you with skillful support and consulting.

9. Re-Testing

Following remediation, we provide unlimited remediation testing within six months of the original secure code review. This helps to ensure that the application functions as expected, and that all identified issues have been satisfactorily resolved.

10. Post Assessment Support

Even after your code is tested, you may wish to call on us for periodic support following significant updates or changes. We are here to answer any questions about how future changes my affect your application security.

Contact us to learn more

---

Mobile Application Security Testing

Mobile banking. Online gaming. In-app purchasing. There are so many ways mobile applications can make our lives more convenient and our businesses more successful — however, without proper security controls, they can also result in catastrophic security breaches. Attackers can exploit mobile apps to conduct identity theft, steal credit card numbers, and spoof legitimate servers. In order to protect your customers and your professional reputation, it’s essential to identify potential security exposures before they happen. Black Arc Security’s Mobile Application Security Testing Services can uncover mobile platform-specific vulnerabilities like insecure data storage, unprotected transmission of sensitive information, and flawed mobile application source code.

Why Black Arc Security?

We know mobile applications — and web security. Our founders have decades of experience in computer security, as well as mobile application development. We perform testing on a variety of mobile devices and operating systems, ensuring your app collects only the most essential data from customers and stores it securely. Because we are a boutique firm, we provide specialized expertise at competitive rates — and we also deliver personal service. We look forward to learning more about your company and your mobile applications.

Our Process

From testing your app on mobile devices, to examining its source code, to monitoring HTTP traffic, our mobile application security testing is thorough and effective. Here’s how our process works:

1. Pre-Assessment Meeting

We will begin by scheduling a meeting or conference call to go through your mobile application with you, talk about any specific security concerns, and gain an understanding of your goals. At this time, we’ll also gather any credentials and assets required for testing, and answer any questions you may have about our process.

2. Discovery

We use dedicated mobile devices and device emulators to test your application on a variety of platforms, including Apple, Android, and Windows. We will begin by installing the mobile app on each device, and examining how it affects the file system and registry. In order to get an idea of potential security breaches, we will examine how your app handles data, including confidential passwords and sensitive account information.

By performing sample transactions on each device and examining application files before and after installation, we will gain an understanding of how much information is collected from consumers, and how it is stored and/or transmitted. Then, we’ll take a look at how these transactions affect the device’s file system and storage capacity.

Beyond searching for security weaknesses in the basic functionality of your app, we’ll also look for any weaknesses that an attacker might use to access sensitive data, such as credit card numbers or bank account information.

3. Mobile Source Code Review

Next, our consultants will decompile your application’s source code, and attempt to manipulate your app’s programming, as an attacker might. However, unlike a malicious attacker, we will do so only in order to expose potential vulnerabilities in the app’s code. Because attackers often modify mobile applications’ source codes in order to obtain passwords or encryption keys, we will examine your code for any weaknesses that could be exploited.

4. Traffic Monitoring

Attackers are adept at intercepting traffic between users and servers in order to steal sensitive information. Many high-profile consumer data breaches involve malicious users who harvest data using insecure public Wi-Fi signals. They may literally drive through traffic, searching for insecure networks, or sit in parking lots of retail centers, downloading sensitive information. In some cases, SSL certificates can even be spoofed to make it appear that a server is legitimate, when the attacker is actually harvesting the data or controlling the information he or she receives.

In order to discover potential vulnerabilities, we will re-route traffic through a secure proxy, and monitor server communication. Then, we will identify and report potential weaknesses in backend mobile APIs or REST-based services.

5. Reporting

When our testing is complete, we will provide you with a full Mobile Application Security Report detailing all findings, including vulnerabilities and an overall security assessment. We will prioritize vulnerabilities with a risk rating for each identified issue and make recommendations for remediation, including action steps. In addition, we will provide Security Best Practices. Beyond the printed report, our mobile application security professionals will also provide you with a personal consultation, walking you through results and answering any questions.

6. Plan of Action / Follow-Up

Once you have had time to review our report, we will follow up with a meeting to discuss what the results mean and provide guidance in addressing potential vulnerabilities. We will prioritize security issues based on potential customer and business impact, evaluate the risk of resolving issues, and assist you in determining which issues may require action. As your development team works to resolve problems, we invite you to reach out to us with any questions you may have.

7. Optional Code Remediation

If you choose to work with your own developers to resolve code issues, we will provide you with all the information needed to do so. We can also provide optional code remediation for customers who request this service, to resolve security issues. If you select this additional service, we will travel to your site and remediate your code for you.

8. Remediation Support

As security issues are resolved, you can rely on the Black Arc team to provide you with skillful support and consulting.

9. Re-Testing

Following remediation, we provide unlimited remediation testing within six months of the original mobile application security testing.

10. Post Assessment Support

Even after your mobile application is tested, you may wish to call on us for periodic support following significant updates or changes. We are here to answer any questions about how future changes my affect your application security.

Contact us to learn more

---

Application Secure Code Training

More and more, corporations are becoming targets for attackers — but many traditional security measures, like firewalls and virus scans, aren’t sufficient to protect against attacks on web applications or web APIs, which are growing in popularity. Custom web applications or APIs can help your customers connect with your business in new and profitable ways, but they can also open up new doors for attackers to steal sensitive data. That’s why it’s important to equip your IT team with the tools they need to combat daily attacks from malicious users. Black Arc Security’s Application Secure Code Training can help you integrate security into your application development life cycle by teaching your developers how to think like attackers — and code securely to guard against their exploit attempts.

Why Black Arc Security?

Our courses are taught by application security industry experts with decades of professional experience. We provide knowledge-based training for programmers, application developers, and security analysts, giving your team the education they need to develop more secure applications from the ground up. Contact us for more information or to request a custom training program. Transform your IT team into an elite group ready to defend against malicious hackers.

Course Overview

Our Application Secure Code Training focuses on application vulnerabilities as well as secure code development. Because the field of software security is constantly changing, our course takes a dynamic format, bringing you the most up-to-date information possible. Course content includes the following components:

Topics

• Overview of secure coding guidelines
• Identification and avoidance of common coding errors
• Coding to prevent common vulnerabilities such as:
• Cross-site scripting
• SQL injection
• Cross-site request forgery
• Insecure direct object references
• Open redirections
• Insecure or weak data encryption
• Insufficient error and exception handling

Hands-On Learning:

The best learning takes place through action. We include hands-on learning sessions as part of our security training, offering the following benefits:

• Conduct “practice hacks” based on real-life scenarios
• Understand methods attackers use to search for vulnerabilities
• Evaluate authentication methods and server configuration
• Find out whether your application’s authentication has been altered or bypassed, which can cause both failures and data breaches
• Learn to correct problems by adjusting your network infrastructure and coding

Post Training Support

Even after your students have gone through application training, they may have further questions for the trainers. All students will have access to the trainer’s contact information, and we encourage the students to ask further questions.

Contact us to learn more

---

Application Design Review

Imagine spending months developing a lucrative application and finally readying it for release — then finding out, at the last minute, that it’s riddled with security flaws. Eliminating the vulnerabilities could take months, delaying the launch of your application — and limiting your profits. Meanwhile your competitors could release similar applications, taking away from your edge.

At Black Arc Security, we understand the time and resources you invest into application development. We provide exceptional security services throughout the entire application development life cycle — so that you can launch apps sooner with strong security mechanisms already in place. Our Application Design Review service detects potential security vulnerabilities early in your application’s development. Then, we share our findings with you, along with recommended action steps to resolve security issues. Working in tandem with your developers and architects, we can eliminate threats before your app reaches maturity. This enables final security testing to be conducted and completed more quickly, and with fewer vulnerabilities.

Why Black Arc Security?

As a boutique firm, we specialize in application security — and we’re with you every step of the way. Our founders and security professionals have backgrounds in programming and development, and we will work with your IT team to understand your application’s goals, share security best practices, and improve your overall security posture from start to finish. We want to be an extension of your team. Let us know how we can help in your application development process.

Our Process

We have developed a proven process for application design review. Here’s how it works:

1. Consultation

We will start by conducting a conference call or meeting with your business, to discuss your application’s goals and functionality with your development and architecture team, and collect any relevant design documents.

2. Initial Review

Next, we’ll review your application’s design and scrutinize its architecture for flaws that an attacker could exploit. Knowing these potential attack points allows us to anticipate threats and design defenses to address those specific weaknesses.

3. Information Gathering

In order to gain a greater understanding of your application’s design, we will interview leaders in your development team. Using the information we gain, we will evaluate your current security controls in relation to the most common threats, as well as any unique issues specific to your application.

4. Adversarial Relationship Modeling

Using information gathered in the previous step, our application security specialists will construct an adversarial relationship model between your application’s function and its security objectives, in order to expose application design weaknesses. We will search for a wide range of threats, including the following:

• Unauthorized access (without valid login credentials)
• Use of insecure protocols or services
• Theft of user credentials
• Session ID takeover
• Unauthorized capture of private user data
• Back-end database access
• Denial of service through software crash
• Sensitive data stolen during transmission
5. Reporting

We will deliver a comprehensive report of all our findings, including risk assessment and prioritization for each vulnerability we discover. In addition, we will provide action steps for closing gaps in your application security.

6. Consultation Throughout Remediation

We will work directly with your development team throughout the application design review process, answering questions as needed, and interpreting report results. Developers and architects will be better equipped to recognize security risks moving forward, and incorporate the necessary security structure into the code.

7. Post-Launch Support

Even after your application is released, you may wish to call on us for periodic support following significant updates or changes. Let us know how we can help provide you with exceptional security services throughout every stage of your application’s development.

Contact us to learn more

---

Application Security Program Review

As a leading application security company, developing effective security programs is in our DNA — and we have a passion for helping our customers meet the highest security standards. Firewalls, virus scanning software and automated tools can only go so far. In order to protect your web applications, you need a comprehensive application security program, including development guidelines, security training, and quality control measures. Our Application Security Program Review specialists will assess your current security program, identify and evaluate potential weaknesses in your software development lifecycle (SDLC), and provide you with the guidance you need to create a more robust, effective program.

Why Black Arc Security?

We’ve been working in application security for many years — and our specialists have helped secure hundreds of clients across the globe. With a comprehensive service offering and senior security specialists on staff, we know what it takes to create a successful application security program. Beyond reviewing your program, we can also provide you with a wide range of security services should you need to outsource or augment key security tasks. We also offer security training for your development staff. In addition, our boutique size ensures you’ll always receive personal service, at competitive rates.

Our Process

Over the years, we’ve established a proven process for Application Security Program Review. Here’s how it works:

1. Pre-Assessment Meeting

We’ll start by getting to know your company and its software development processes better. At our initial meeting, we will walk through your current program and review your business objectives in order to get an idea of where you are now and where you want to be. We will also request access to documentation related to your security program and current SDLC.

2. Interview Process

After reviewing your current program and overall objectives, we will interview your technology executives, development managers, architects, quality assurance personnel, senior developers, and any other key staff members. The goal is to understand your current SDLC and identify security activities actively being performed in your development organization(s). We’ll discuss whether each activity is done consistently throughout your company or if it confined to a particular group or team (a siloed activity). We will also review and collect additional SDLC artifacts, such as secure coding guidelines and development standards.

3. Strategic Evaluation

Next, we’ll evaluate your current program and determine a maturity level. We use the Software Assurance Maturity Model, or SAMM, from the Open Web Application Security Project (OWASP), as the framework for conducting your Application Security Program Review. At the highest level, SAMM defines four software-related business functions:

• Governance
• Construction
• Verification
• Deployment

Within each business function, there are several security practices and activities, which we will evaluate.

4. Recommendations and Plan Development

Finally, we will report our findings, noting your organization’s current maturity level in terms of the SAMM framework. Based on the results, we will collaborate with leaders and stakeholders in your company to create a customized and realistic roadmap to improve over time. We will provide recommendations in a number of areas, including the following:

• Development of Security Guidelines
• Scheduling of Security Reviews
• Clearly Defined Process for Handling Security Incidents
• Integration of Automated Security Scanning and Analysis Tools
• Security Training and Guidelines for Staff
• Implementation and Deployment Standards
5. Implementation Support

If requested, we can provide assistance in implementing recommendations. Or, we can provide support as you revise your plan internally.

6. Follow-Up Reporting

The best security plans deliver measurable results. We will conduct follow-up reports at regular intervals, as outlined in our initial proposal, to document improvements in your application security program.

Contact us to learn more

---

Threat Modeling

Identify the greatest threats to your system in the very early stages of your software development project or technology implementation. Gain a greater understanding of how various types of attacks might impact your business — and understand which controls will be needed to guard against them. At Black Arc Security, our Threat Modeling service examines your system design from a attacker's perspective, identifying, quantifying, and addressing the risks, so that you can create a more secure system.

Why Black Arc Security?

Our senior staff members each have more than ten years of experience in IT systems in addition to network and application security. We understand the range of threats that can impact our clients, and we bring a nuanced, detail-oriented approach to threat modeling. As a boutique security firm, we have the knowledge and expertise to bring you the highest quality results at competitive rates, with a high-touch approach to service.

Our Process

We take a comprehensive approach to threat modeling, gaining a thorough understanding your system, and evaluating threats by category and risk level. Here’s how it works:

1. Pre-Assessment Meeting

We will begin with a conference call or meeting to learn more about your business, your network, and the specific IT project to be analyzed. At this time, we will ask about any security concerns you may have as well as the project’s background and objectives. We’ll also walk you through our threat modeling process and answer any questions you may have.

2. Decomposition and Data Flows

In our Threat Modeling engagement, we will review your design documents and work closely with your IT architects and/or senior developers to decompose the system into logical components in order to understand their relationships and how they will interact. As part of this process, we will identify all entry points that a hacker might use to access the system and as well as sensitive data flows and security measures needed to protect them. Using this information, we will define trust boundaries, determine authorization levels required to access data from each entry point, and create Data Flow Diagrams that capture all of this information.

3. Identify and Categorize Threats

Once we understand how users can access your system and have Data Flow Diagrams that properly represent the system, we will identify, categorize, and evaluate threats. We use the Microsoft STRIDE methodology, which groups threats into the following categories:

• Spoofing identity
• Tampering of data
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
Spoofing Identity

Spoofing occurs when an illegitimate user accesses another user’s credentials, such as username and password or a web session cookie. This technique is used to access sensitive information while keeping the hacker’s identity confidential.

Tampering of Data

Data tampering is a type of threat that involves malicious modification of information and can affect the integrity of the overall system and its data.

Repudiation

Repudiation is undesirable because it represents the ability for an attacker to deny taking certain harmful actions within a system. A system needs to have the ability to trace user actions within a system by maintaining a secure audit log throughout.

Information Disclosure

This is a breach in data confidentiality where a user is able to view or access data without having been granted proper privileges.

Denial of Service

Denial of Service occurs when a system can be attacked in such a way that it crashes or is made unavailable to legitimate users. For example, a hacker may take down your server, preventing your customers from being able to do business with you. This type of attack can cause significant loss of income, not to mention reputational damage.

Elevation of Privilege

Elevation of Privilege refers to the process by which a legitimate user may access your system improperly, i.e. without possessing the required privilege. If a malicious user is able to gain entry by elevating privilege levels, sensitive information — such as credit card numbers and personally identifiable information — can be stolen.

Using STRIDE, we will identify potential weaknesses in each of these categories, cite examples of abuse cases, and note security risk levels for each identified threat.

4. Reporting and Recommendations

We will document all of our findings, and provide you with a comprehensive Threat Modeling Report, including data flow diagrams, detailed threat trees, and recommendations for remediation. This report will provide critical information for eliminating all identified threats and assist in prioritizing areas to address first.

5. Remediation Support

Throughout the remediation process, you can rely on the Black Arc team to answer any questions you may have, and provide personal assistance to your development team.

6. Plan of Action / Follow-Up

Once you have had time to review our report, we will follow up with a meeting to discuss what the results mean and provide guidance in addressing potential vulnerabilities. We will prioritize security issues based on potential customer and business impact, evaluate the risk of resolving issues, and assist you in determining which issues may require action. As your development team works to resolve problems, we invite you to reach out to us with any questions you may have.

Contact us to learn more

---

Network Vulnerability and Penetration Testing

What does your perimeter or internal network look like to an attacker? Can an unauthorized malicious user access confidential company files? Can an attacker breach your firewalls because of misconfiguration? The importance of network security has become increasingly important as the Internet evolves and computer networks become larger and more complex. Multifaceted networks are all the more susceptible to security gaps stemming from simple oversight or misconfiguration to vulnerable services within a client’s network which leaves organizations vulnerable to attacks. With a Network Vulnerability Test or Network Penetration Test from Black Arc Security, you’ll see how your network looks from the inside to the outside — and gain the intelligence and tools needed to safeguard it from malicious attacks.

Why Black Arc Security?

Our founders have been working in computer security for decades, and have a deep understanding of the security risks associated with network infrastructure. As security consultants, we know what malicious users are looking for when they view your network from the inside to outside — and we understand how to test for those vulnerabilities, without harming your system. We will work with your management team and your IT department to provide your perimeter and internal network with the highest level of security protections available. What’s more, we’ll be glad to answer any questions along the way. As a boutique firm, we provide personal service and exceptional expertise, all at competitive rates.

Our Process

During your network security assessment, we will review your entire network for weaknesses, report our findings, and provide recommendations for improvement. Our comprehensive process includes the following steps:

• Pre-Assessment Meeting

Before we begin your project, we’ll set up a meeting or conference call to review your logistics, discuss key details and goals, and answer any questions you may have. We’ll go over our testing procedures with you, talk through your requirements, discuss rules of engagement, and gather any credentials and assets required for testing.

• Device Discovery

We begin by creating a thorough inventory of your infrastructure. We will identify and document all the live devices that exist on your network — including every router, every server, every URL. If it is an internal assessment then this will also include every laptop, mobile phone, and tablet. Your inventory will include detailed information about each device, noting its location, owner or user. During this phase, we will also assess traffic patterns, including main paths and subnets.

• Target Profiling

Once we have a list of all devices on your network, we can verify which devices are approved — and identify any that are not. We then identify all running services within the list of client specified hosts. This creates an attack vector profile which is utilized within the examination phase in order to better identify the threats, risks, and vulnerabilities within the client’s organization.

• Examination
Automated Testing

We will begin with a preliminary scan, using automated tools to scan the previously discovered live hosts and live ports. Because the technology behind automated tools may be limited to certain types of flaws, we employ multiple automated tools to catch a greater variety of potential vulnerabilities. We also tailor our scanning tools in order to get the highest quality scans.

This preliminary scan will give us a good idea of where to focus more detailed scanning efforts. Automated tools are excellent at assessing large amounts of infrastructure and identifying possible issues, but it takes a skilled security expert to interpret and verify these results. Leveraging automation saves time and reduces the cost analysis, but it can result in false negatives and false positives. Our network security consultants will carefully diagnose, consolidate, and verify all of the automatically generated data in order to prioritize risks, and eliminate false positives.

Manual Testing

Some vulnerabilities can only be discovered looking directly and manually at the infrastructure. That’s why manual review is such an important part of our process. Our experienced network security consultants can understand the context for certain practices, provide insights into the actual risks posed by vulnerabilities, and provide risk assessments into the likelihood of attack, and the business impact of a potential breach.

During the manual testing process, we will take all the previous data that has been generated, searching for blind spots and vulnerabilities that automated tools may have missed. First, we search for security vulnerabilities that are common to many devices. Then, we narrow our focus by looking for security issues that relate to the unique architecture of your infrastructure.

• Optional Risk Validation

If the client has chosen the full penetration test option, after the security issues have been identified, then we preform authorized exploitation attempts to confirm the issue and determine the proper risk to the client. All possible exploit risks and impacts are outlined for the client before any authorized exploitation occurs.

• Reporting

When our testing is complete, we will provide you with a full Network Security Assessment report detailing all automated and manual penetration testing findings, including vulnerabilities and an overall security assessment. We will prioritize vulnerabilities with a risk rating for each identified issue, and make recommendations for remediation, including action steps. In addition, we will provide Security Best Practices, to help prevent future vulnerabilities.

Beyond the printed report, our network security professionals will also provide you with a personal consultation, walking you through results and answering any questions.

• Plan of Action / Follow-Up

Once you have had time to review our report, we will follow up with a meeting to discuss what the results mean, and provide guidance in addressing potential vulnerabilities. We will prioritize security issues based on potential customer and business impact, evaluate the risk of resolving issues, and assist you in determining which issues may require action. As your development team works to resolve problems, we invite you to reach out to us with any questions you may have. Armed with your Network Vulnerability Assessment or Network Penetration Test report, your IT department will have the information and tools needed to eliminate vulnerabilities, and create a stronger, more secure wireless network.

• Remediation Support

As security issues are resolved, you can rely on the Black Arc team to provide you with skillful support and consulting.

• Re-Testing

Following remediation, we provide unlimited remediation testing within six months of the original penetration test. This helps to ensure all issues are resolved.

• Follow-Through

Even after your network is tested, you may wish to call on us for periodic support following significant updates or changes. We are here to answer any questions about how future changes my affect your network security.

Contact us to learn more

---

Wireless Security Assessment

What does your wireless network look like to an attacker? Can an unauthorized user access confidential company files? Can a rogue device connect to your network, unnoticed? With a wireless security assessment from Black Arc Security, you’ll see how your wireless network looks from the outside — and gain the intelligence and tools needed to safeguard it from malicious attacks.

Why is Wireless Security Assessment Necessary?

Wireless networks help businesses collaborate, share files and connect to the Internet using a range of devices — but this convenience comes at a price. Because wireless networks are inherently less secure than wired networks, it’s important to evaluate their security on a regular basis, identifying any security gaps, and closing them before attackers seize the opportunity to slip through.

Why Black Arc Security?

Our founders have been working in computer security for decades, and have a deep understanding of the security risks associated with wireless networks. As white hat attackers, we know what malicious users are looking for when they view your network from the outside — and we understand how to test for those vulnerabilities, without harming your system. We will work with your management team and your IT department to provide your wireless network with the highest level of security protections available. What’s more, we’ll be glad to answer any questions along the way. As a boutique firm, we provide personal service and exceptional expertise, all at competitive rates.

Our Process

During your wireless security assessment, we will review your entire wireless network for weaknesses, report our findings, and provide recommendations for improvement. Our comprehensive process includes the following steps:

1. Pre-Assessment Meeting

Before starting work, we’ll begin with a brief consultation to understand your specific wireless security concerns, address your goals, and answer any questions you may have about our process. We’ll also collect any credentials and assets that might be required for testing.

2. Wireless Device Discovery

In order to discover any rogue devices, we first need to know which devices are authorized to use your wireless network. That’s why we begin by creating a thorough inventory of your equipment. We will identify and document all the wireless devices that exist on your network — including every router, every access point, every channel, and every laptop, mobile phone, and tablet. Your inventory will include detailed information about each device, noting its location, owner or user. During this phase, we will also assess traffic patterns, including main paths and subnets.

3. Identify Rogue Devices, and Eliminate Faulty Equipment

Once we have a list of all wireless devices on your network, we can verify which devices are approved — and identify any that are not. If a rogue device is discovered on your wireless network, we will provide you with the information you need to remove it. Using a commercial-grade vulnerability scanner, we will check for activity on wireless bands or channels you may not normally use, to ensure they are not being exploited.

We will also note whether approved devices are currently in use. If not, we recommend either removing or replacing faulty parts and unused or out-of-date equipment.

4. Test Access Points

We will evaluate each of your access points, to determine whether they are up to date with most current operating systems, security and firmware updates, and antivirus / antispam software. Your wireless network is only as strong as its weakest link, so we will provide security recommendations for any devices that require updates.

In addition, we will check your authentication process for authorized access points, and report on current security levels. This may include making recommendations to strengthen passwords and authentication settings, and adjust device configurations to improve security and comply with regulations. For example, we can set up your system to block unauthorized protocols and automatically generate alerts in the event of a security breach, so that that issues can be dealt with in a timely manner.

As part of this process, we simulate an attack on your wireless system, in order to determine whether a attacker can exploit any access points in your network. We will conduct this testing only with your prior authorization, and no part of your network will be harmed.

5. Reporting

We will compile all of our findings in a comprehensive report, and present it to your management and/or IT team. You will receive a complete analysis of the current state of security of your wireless network, including a description and risk classification for each identified vulnerability, action steps required to resolve vulnerabilities, and strategic recommendations to improve security and reduce risk.

6. Plan of Action / Follow-Up

Once you have had time to review our report, we will follow up with a meeting to discuss what the results mean, and provide guidance in addressing potential vulnerabilities. We will prioritize security issues based on potential customer and business impact, evaluate the risk of resolving issues, and assist you in determining which issues may require action. As your development team works to resolve problems, we invite you to reach out to us with any questions you may have. Armed with your Wireless Security Assessment, your IT department will have the information and tools needed to eliminate vulnerabilities, and create a stronger, more secure wireless network.

7. Remediation Support

As security issues are resolved, you can rely on the Black Arc team to provide you with skillful support and consulting.

8. Re-Testing

Following remediation, we provide unlimited remediation testing within six months of the original wireless security assessment.

9. Follow-Through

Because technology is always changing, and malicious users are always developing new ways to gain unauthorized access to wireless networks, it’s important to perform vulnerability assessments on a regular basis. We recommend conducting a wireless security assessment at least once a year.

10. Post Assessment Support

Even after your wireless network is tested, you may wish to call on us for periodic support following significant updates or changes. We are here to answer any questions about how future changes my affect your application security.

Contact us to learn more