How bluedog helps strengthen your organization with penetration testing
There are so many providers out there that claim to provide the best possible penetration testing services. How do you know who you should pick?
First things first, you have to know the scope of testing. Penetration testing is a widely used term and can mean many different things. Is it a web application only? Does it include a source code review? Is infrastructure involved? A cloud application with Azure or AWS? Trying to get a complete overview of issues or is there a goal driven approach, where the assessment tries to actually break into an organization and steal crown jewels? All these examples can fall under the term penetration testing if you’d want.
One of the core missions of bluedog is to help you identify exactly what it is your client is asking for. We are here to help you, each step of the way. Using a unique approach to prepare, execute and deliver on promise is what makes bluedog unique. The entire process is closely governed and controlled by skilled professionals with dozens of years of experience in the field. The bluedog professionals are trusted to train employees of major companies like Accenture and Petronas in fields of penetration testing, code review and forensics.
The bluedog PenTest Approach
Testing web apps is done with tooling, is it?
No, it isn’t. We no longer live in the zero’s where application were written in a straight request/response manner. We live in a mobile world now, where responsive, single page application with front and backends are flourishing.
Tooling doesn’t work anymore on these types of applications. It’s all about business logic bypasses and authorization or authentication flaws inside applications. Can you do something with a backend API that you are not supposed to, building a malicious app around that API. This is the kind of stuff that requires human intelligence and not a tool.
Sure, tooling helps with the easy stuff. But do you really want to settle for a C when you can get an A+ instead? This is where bluedog comes in to help. With subject matter experts in the cyber security work field, all trained within the bluedog Academy to ensure that all types of assessments are performed methodically and in accordance with the OWASP ASVS testing guidelines. The assures that each test undergoes the same set of quality controls!
The report is about the the business risk!
Security testing is done by technical experts, who know how to break into an application or network at ease. But the end result for all of these assessments still is a report that is used within organizations to assess and mitigate risks identified during these assessments.
So, would you rather have a brilliant tester with a unreadable technical report, a sloppy tester with a brilliant report that management also understands or a brilliant tester with a brilliant report? We hope that we can guess that answer for you.
What we do at bluedog when it comes to writing reports, is to look as the business risk and impact for the issues that have been identified. Not only on an individual basis, but more so what will happen if individual issues are combined into a chained attack.
bluedog helps you getting the best results!
The approach bluedog takes remains the same regards the type of test: preparation, assessment, QA, reporting. Governed and controlled by skilled subject matter experts with dozens of years of experience.
It’s vitally important to assure that penetration tests are performed and reported in a way that takes business risk into account. No plain technical risk reporting, but placed into real world context that is easy to understand for management and the risk/compliance departments.
Bluedog helps with this, and offers the unique capability of integrating the results of all types of security assessments into the SOC design. The pentest function provides information for the intelligence function to become better.
This way, evidence based compliance management can be achieved in a strong way, as the virtual CISO teams from bluedog in the GRC Function can work with all of the data and aid in the continuous compliance frameworks for any company.