what is this “security” we’re talking about?
Talking about “security” is a wide spread field. Even if your passwords are safe and you never click on unknown attachments, techniques like social engineering, drive-by exploits and other threats may cause trouble. That said, every aspect of IT security is only the best try to approach 100% safetieness, which will never be achievable, given that every day, new security holes and leaking software designs are found.
But being 99,8% sure that your data is safe is still a better feeling than seeing your customer data being spread all around the web in a few days after launch, right?
Application security
Every application that is handling user inputs needs to take care of what the user is doing and what he shouldn’t. Therefore, in-depth application analysis tries to find way of manipulating the user input in order to change or reveal information that should not be accessible in the first place. Having those informations on hand, you can harden your application to avoid those exploits as good as possible.
Server security
Obviously, the system your application runs on should be safe.In theory, every IT department knows that frequent security updates, a strong password policy and constant monitoring is the best practice here. But who sticks to those plans in reality, apart from having them stored at a safe and warm drawer at your desk?
Server security is not only about scanning your environment once for known threads, but keeping it constantly up to date to ensure it’s safety.
Social security
Most of the successful attacks to IT infrastructure happen from within the local network. So it’s often not the ski-mask wearing hacker in his darkened room that breaches your system, but someone with access to the network from inside. Therefore, it is important to know who is accessing your systems from where with which permissions. Are temporary users like external consultants and contract workers disabled once they leave? Are the passwords still the same when staff changes? A good social security concept takes care of this aspect with tools and techniques to keep usage simple for users and maintainable for administrators.
Tools and Techniques
The best tools can’t do anything if they are looking into the wrong direction. So in every case, a first counseling interview needs to be done to get an understanding of your IT landscape and its needs. After that, established tools like OpenVAS, Kismet, Metasploit, OWASP, ZAP and Wireshark are used to gather as much information as possible from your landscape. With that results in mind, we will work out an easy to read overview of the current security situation and show ways of improving it for the future.