Delivering cybersecurity services such as web application vulnerability assessments and penetration tests within Canada:
We simulate attacks on your applications (web, API, mobile, point-of-sale systems, kiosks) by testing for flaws which can be leveraged by attackers to steal, leak, misuse or abuse sensitive information or services.
Vulnerability or penetration tests for custom-built applications
Authenticated or unauthenticated attack scenario perspectives
Using primarily manual techniques (and some automation, where applicable)
Using both dynamic analysis (DAST) or static analysis (SAST)
Identification, authentication and authorization flaws
Session management flaws (e.g. session hijacking)
Oauth 2.0 authentication vulnerabilities
Misconfiguration and deployment flaws
Integration misconfiguration flaws (e.g. third-party components)
Captcha bypass, 2FA bypass, rate limit bypass or WAF bypass
Insecure 'registration', 'remember me', or 'forgot password' functionality
Input or injection flaws (e.g. SSRF, command injection, HTTP parameter pollution).
Insecure design flaws
Flaws in payment functionality flows
Cryptographic misuses or errors
File upload vulnerabilities
Unintended application leakage from application usage or misuse
Client-centric vulnerabilities (e.g. XSS, clickjacking)
Business logic flaws and targeted edge cases
Account takeover and privilege escalation via chaining of multiple vulnerabilities
We have a simple 3 step process to get started with our cybersecurity assessment services:
Tell us your security needs
Onsite, if local, or via a virtual meeting we discover your business and your security needs, along with type of security testing of interest and potential scope. We will go over our general engagement approach, such as methodology, tooling, and possible attack scenarios and discuss how we may be able to help.
We perform the work
This is where we perform the assessment, strictly within scope, using vetted tools and approaches, and being mindful of the operational impact on your environment. Many of us have previously held operations roles, so we understand that hitting systems too hard, triggering vast number of alerts, or locking out admins adds negative value. Depending on type of testing, we adjust our approach so as to maximize value, yet produce as safe a test as possible.
We deliver a report and presentation
The final work product is a report with an executive summary and technical details discussing methodology, tooling, vulnerabilities discovered and attacks leveraged. The report will provide clear description of security risk, likelihood, impact, and remediation steps. A final presentation is scheduled once you’ve had time to review the final report to discuss vulnerability findings.