security testing methodology

Security Testing Methodology

ATTENTION: This document contains information from Astra IT, Inc. & Czar Securities Pvt. Ltd. that is confidential and privileged. The information isintended for private use of the client. By accepting this document you agree to keep the contents in confidence and not copy, disclose, or distributethis without written request to and written confirmation from Astra IT, Inc. & Czar Securities Pvt. Ltd. If you are not the intended recipient, be awarethat any disclosure, copying, or distribution of the contents of this document is prohibited.

Your plug & play cyber security suite.

www.getastra.com

https://www.getastra.com/

Security Testing Methodology

8000+ Hours Saved ofDevelopers &CXOs

Resilient and Reliable Securitysolution for your application

75% Vulnerability FixingRate

27,000+VulnerabilitiesUncovered EveryMonth

1. Introduction1.1 About Astra Security1.2 Objective of Security Testing1.3 Astra Security's VAPT Framework

2. Security Audit Scope of Work (SOW)

3. Testing Methodologies3.1 For Websites / Web Applications3.2 For Mobile Applications (Android)3.3 For Mobile Applications (iOS)3.4 For API Security3.5 For AWS Cloud Infrastructure3.6 For Azure Cloud Infrastructure3.7 For Network Devices - Firewall/Routers/Printers

4. Security Testing Report & Video POCs

5. Methodology for Patching Vulnerabilities

6. Our Security Suite

7. Our VAPT Customers

8. Awards & Recognition

9. List of Top Security Issues Tested

10. Contact

SQL Injection

Malware

Bad Bots

Vulnerabilitiesin Code

Phishing &Social Hacks

Table of Contents

2

Vulnerabilitiesin App Code

API Testing

Cloud SecurityDiagnostics

Business LogicTesting

NetworkVAPT

1. Introduction

1.1 About Astra SecurityAstra Security makes cyber security super simple for online businesses. The companyoffers a security suite that comprises of security audit, firewall & malware scanner.

Every solution within our suite takes under five minutes to setup & offers a 10x betterexperience than their contemporaries. The suite is beautifully knit, offering ahomogenous experience that makes security delightful. Astra Security is a Techstarsbacked company, awarded by President of France & PM of India for its innovation incyber security.

The security testing focuses on evaluating the security of the web, mobile, networks, API,SaaS, blockchain & cloud applications by methodically validating & verifying theeffectiveness of security controls. The process involves an active analysis of anyapplication for any available weaknesses, technical flaws, or vulnerabilities.

Every vulnerability that is found will be present with an assessment of the impact, aproposal for a technical solution using our collaborative cloud dashboard.

Vulnerability Assessment & Penetration Testing thatcomes without a 100 emails, 250 Google searches &painstaking PDFs. Saves hundreds of hours of your &developer's time.

Security Testing Methodology 4

1.2 Objective of Security Testing

Vulnerability Assessment & Penetration Testing (VAPT)

Static & DynamicCode Analysis

Network DevicesConfiguration

Payment ManipulationTesting

Server Infra.Testing & DevOps

Business LogicTesting

VulnerabilityRemidiation Assistance

Birds Eye Viewwith VAPTDashboard

Testing per OWASPStandards & KnownCVEs


WebApplications

Mobile Apps(iOS/Android)

Cloud Infrastructure(AWS/Azure)

SaaSApplications

Website Themes& Plugins

BlockchainApplications

API Testing

1.3 Astra Security's VAPT FrameworkEvery VAPT (Vulnerability Assessment & Penetration Test) is tailored to application being tested.Apart from the standard security tests, massive stress is put on designing security tests tailoredto your application's work flow.

IOTApplications

NetworkDevices

Vulnerability Assessment and Penetration Testing (VAPT)Static & dynamic code analysisTechnical assistance in patching found security vulnerabilitiesCollaborative cloud dashboard for vulnerability reporting & managementAccess to our security tools/APIsConsultation on the best security practices for your application

2. Security Audit Scope of Work (SOW)

A detailed security audit's scope will be a tailored approach basis on the individualrequirements such as a number applications to be audited, types of application, desiredtype of security testing, our predefined number of tests for each type of application,security assessment tools, and more.

6

The security audit scope of work will include:

Astra’s Security Testing is based on the OWASP (Open Web Application Security Project)Testing Methodologies and the OWASP Testing Framework. During the audit we performover 1250+ ‘active’ tests that have been classified on the basis of type of vulnerabilitiesfound. Each active test is followed by hundreds of sub-tests.

Hacker style testing, powered by ourpowerful vulnerability management& collaboration dashboard.

Bachelors in Information Security from Northumbria University, SingaporeCEH - Certified Ethical HackerAdvanced Diploma in Information Security, MDI, SingaporeCyber Security Fundamentals from KasperskyPolicy Compliance Certification, Qualys

The security audit is the high-level description of the many ways organizations can test andassess their overall security posture.

Astra's team of security auditors maintain the ethical and professional approach for the testingand assessing your organization's security posture. Our professional auditors combine thewisdom, qualifications and skills acquired over the years doing thousands of security audits.You get nothing but the best experience throughout the engagement.

In addition, the auditors have both technical & communication skills to uncover all vulnerabilitieson your platform and collaborate with your development team to help them patch discoveredvulnerabilities in your application/network. Our team take prides in being developer friendly.

Our security auditors have wide education backgrounds & hold industry specific certifications(not limited to the list below):

Qualified & FriendlySecurity Team


Network & sourcecode testing

BlackboxTesting

WhiteboxTesting

GreyboxTesting


Vulnerability Management Areas

Websites / WebApplications

Mobile appassesment

PDA securityassessment

Mobile Apps(iOS/ Android)

APIanalysis

APIenumeration

Scope & rolestestingAPI Security

Cloud configurationreview of environment

Cloud Infra.(AWS/Azure)

Network and perimeterassessments

(Internal/External)

Server and networkpenetration testing

iDOR (Insecure DirectObject Reference)

Cloud securitydiagnostics

NetworkDevices

Network vulnerabilityassessment with a

data review

Reviewing networkstrengths againstcommon attacks

Network devicespenetration testing

Security assessment ofnetwork devices


3. Testing MethodologiesOur security testing approach and methodology is based on industry leading practices such asOWASP, OSSTMM, WASC, NIST etc.

Hybrid of Human &AutomatedVulnerability Testing.

3.1 For Websites/Web Applications

Phase Phase I Phase II Phase III Phase IV

Phase name Initiation Evaluation Discovery Reporting

Define scope oftesting for anapplicationDocument initialtestingrequirementsDevelop testing & scanningscheduleUnderstandimplementedfunctionalities inan applicationSampling ofbrowser-servertraffic flowFinalize testingdeliverablesformat

Perform staticcode analysis ofan application ServerInfrastructureTesting & DevOpsIdentify theloopholes in thebusiness logicDo authorizationchecks for useraccess (UAC)Schedule manual& automatedapplicationscanning usingown toolsList commercialand open sourcetools for securitytesting

Perform dynamicanalysis &penetration tests PaymentmanipulationtestingTest for knownCVEsTechnologyspecific attackvectors andpayloadsVerify findingsand remove falsepositivesCatalogue all theexposedvulnerabilitiesCollection ofevidence andVideo POCs

Determine easeof vulnerabilityexploitationProvide appvulnerabilitiesdetails on yourAstra VAPTDashboardProvidetechnicalsolution orrecommendations for fixes Independentquality reviewand FinalReportsubmissionsProvide VAPTCertificate forsecurity audit

Description

Outcome Testing results are periodically updated in Astra VAPT Dashboard

For more information, visit: https://www.getastra.com/website-vapt

https://www.getastra.com/website-vapt

https://www.getastra.com/website-vapt

Installation ofapk file inAndroid securitytesting devicesReconnaissance& threatmodelingAll appcomponents areidentified andknown to bedocumentedDefine overallscope of testingDocument initialtestingrequirementsDevelop testing scheduleSampling of testdata

Intercept theproxy to analyzethe incoming &outgoing packetsof the appPerform sourcecode analysisUnderstand thebasic businessfunctionality ofthe app to identifypossible entryand exit points ofinformationIdentifyapplication’s datastore (at rest, intransit or ondisplay) andsensitivity

Based on theobservations,formulate testcases and carryout the securitytesting for

Data storageand privacyCryptographyAuthentication & sessionmanagementEncryptednetworkcommunicationsPlatforminteractionCode qualityand buildsettings

Determine easeof vulnerabilityexploitationProvide appvulnerabilitiesdetails on yourAstra VAPTDashboardProvidetechnicalsolution orrecommendations for fixes Independentquality reviewand FinalReportsubmissionsProvide VAPTCertificate forsecurity audit


3.2 For Mobile Applications (Android)



Description


Tools used for Android security testing: Network Proxy, MitmProxy, Quark, APKTool, Android Debug Bridge, MobSF, ZAP & more.

For more information, visit: https://www.getastra.com/mobile-app-vapt

https://www.getastra.com/mobile-app-vapt


Installation of ipafile in iOSsecurity testingdevicesReconnaissance& threat modelingAll appcomponents areidentified andknown to bedocumentedDefine overallscope of testingDocument initialtestingrequirementsDevelop testing scheduleSampling of testdata

Intercept theproxy to analyzethe packetscoming in andgoing out of theappPerform sourcecode analysisUnderstand thebasic businessfunctionality ofthe app to identifypossible entryand exit points ofinformationIdentifyapplication’s datastore (at rest, intransit or ondisplay) andsensitivity

Based on theobservations,formulate testcases and carryout the securitytesting for

Data storageand privacyCryptographyAuthentication & sessionmanagementEncryptednetworkcommunicationsPlatforminteractionCode qualityand buildsettings

Determine easeof vulnerabilityexploitationProvide appvulnerabilitiesdetails on yourAstra VAPTDashboardProvidetechnicalsolution orrecommendations for fixes Independentquality reviewand Final ReportsubmissionsProvide VAPTCertificate forsecurity audit


3.3 For Mobile Applications (iOS)



Description


Tools used for iOS security testing: Network Proxy, MitmProxy, Quark, MobSF, ZAP, IMAS & more.

For more information, visit: https://www.getastra.com/mobile-app-vapt



Analyze the APIendpointsChecking type ofAuthenticationimplemented:

Basic HTTPauthenticationUser InputvalidationchecksAccess tokenCookies

Document initialtestingrequirementsDevelop testing scheduleSetup testingenvironment andprepare testingtools

Check if all theendpoints areprotected behind authentication to avoid brokenauthenticationprocessTest for APIInput FuzzingTest for Un-handled HTTPMethodsAnalyzing APIrequest andresponseTestingIntegrationendpoints

Test for followingvulnerabilities:

UnauthorizedAccessData leakageSanctioningFuzzy inputInjectionVulnerabilitiesParameterTampering,etc.

Data validationtestingAccesspermissionsIDOR (InsecureDirect ObjectReference)

Determine easeof vulnerabilityexploitationProvidevulnerabilitiesdetails on yourAstra VAPTDashboardProvidetechnicalsolution orrecommendations for fixes Independentquality reviewand final reportsubmissionsProvide VAPTCertificate forsecurity audit


3.4 For API Security

Phase name


Tools used for API security testing: Burp Suite, Proxy, SQLmap, Acunetix, DirBuster, Fuzzapi,Commix, REST API Clients & more.


Initiation Evaluation Discovery Reporting

Description

API

For more information, visit: https://getastra.com/blog/knowledge-base/api-security-testing

https://www.getastra.com/blog/knowledge-base/api-security-testing/

https://www.getastra.com/blog/knowledge-base/api-security-testing/

Configurationreview of theenvironmentReviewingIdentity andAccessManagement(IAM) users,groups and rolesManaging theaccess controlon the cloudEC2, SNS, RDSSecurityconfigurationreviewReviewing otherAWS policies for:

S3 BucketSQS queueKMS keys

Based onevaluation startfinding openvulnerabilities &securityloopholes Runningvulnerabilityscanning withtools such asCloudSploitPerform serverand networkpenetrationtestingPerform 50+security testsRun cloudsecuritydiagnostics

Provide details ofvulnerabilities &misconfigurationson your AstraVAPT DashboardProvide technicalsolution orrecommendationsfor fixesIndependentquality review andfinal reportsubmissionsProvide VAPTCertificate forsecurity audit

Define scope oftesting for yourAWS integrationObtain rootaccess keysNetwork andperimeterassessments(Internal/External)Finalize testingdeliverablesformat


3.5 For AWS Cloud Infrastructure

Testing results are periodically updated in Astra VAPT Dashboard

Tools used for Cloud infrastructure testing for AWS: Prowler, CloudSploit, Cloudplaining, ScoutSuiteCloudJack, & more.

Phase name

Outcome



Description

For more information, visit: https://getastra.com/blog/security-audit/aws-security-audit

https://www.getastra.com/blog/security-audit/aws-security-audit/

https://www.getastra.com/blog/security-audit/aws-security-audit/

Configurationreview of theenvironmentReviewing Identityand AccessManagement(IAM) users,groups and rolesManaging theaccess control onthe cloudStorage, VMs, SQLDatabase,Keyvault, & AppserviceenvironmentSecurityconfigurationreviewReviewing dataprotection &encryption

Define scope oftesting for yourAzure integrationObtain rootaccess keysNetwork andperimeterassessments(Internal/External)Finalize testingdeliverablesformat

Based onevaluation startfinding openvulnerabilities &security loopholesRunningvulnerabilityscanning withtoolsPerform serverand networkpenetrationtestingPerform 50+security testsRun cloud securitydiagnostics


3.6 For Azure Cloud Infrastructure

Phase name


Tools used for Cloud infrastructure testing for Azure: Azucar, CloudSploit, ScoutSuite, MicroBurst,cs-suite, & more.



Description

Provide details ofvulnerabilities &misconfigurationson your AstraVAPT DashboardProvide technicalsolution orrecommendationsfor fixesIndependentquality review andfinal reportsubmissionsProvide VAPTCertificate forsecurity audit

Define scope oftesting fornetwork devicesDevelop testing scheduleidentify anydeficienciesthat put thecustomer at riskof a securitybreachUnderstandintegration ofthe device andtopology Sampling ofnetwork trafficFinalize testingdeliverablesformat

Check if all theendpoints ofdevices areprotected withauthenticationSecurity policies& architecturereviewDo authorizationchecks for useraccess (UAC)Network datareviewEvaluate thepolicies forremote access,etc.Reviewingnetworkstrengthsagainst commonattacks

Provide detailsof vulnerabilities&misconfigured/unpatchednetwork deviceson your AstraVAPTDashboardProvidetechnicalsolution orrecommendations for fixesIndependentquality reviewand final reportsubmissionsProvide VAPTCertificate forsecurity audit


3.7 For Network Devices - Firewall/Routers/Printers

Testing results are periodically updated in Astra VAPT Dashboard

Tools used for Network devices testing: Nmap, Wireshark, Nessus, Metasploit, burp, Sublist3r &more.

Perform riskAssessment toidentify threats,and analyze thecontrolenvironment todetermine whatrisks are andtheir potentialimpact.Vulnerabilityassessment fordevice process,application &functionPerformpenetrationtesting to findflaws in thevulnerabledevices

Phase name

Outcome



Description

For more information, visit: https://getastra.com/blog/security-audit/it-security-audit

https://www.getastra.com/blog/security-audit/it-security-audit/

https://www.getastra.com/blog/security-audit/it-security-audit/

Details of vulnerabilityScreenshots & video PoCsSelenium scripts for your developers to help reproduce vulnerabilitiesThreat criticality with CVSS scoreBusiness impact & consequencesSteps to re-create the issueTailored steps to fix the vulnerability (Patching)Best Practices for future

Astra Security's proprietary vulnerability management platform is unlike anything you musthave ever seen. A birds eye view for CISOs helps ensure you're always on top of the status ofthe security audit. A detailed vulnerability report with video proof of concepts, selenium scripts& ability to collaborate with our security engineers within dashboard ensures vulnerabilities arefixed in a record time.

4. Security Testing Report & Video PoCs


Astra Security's vulnerabilitymanagement dashboardcomes with a birds eye viewfor management keeping youalways on the top of securityassessment status.

Video PoCs, selenium scripts& collaboration with securityteam enables yourdevelopers to fix thevulnerabilities in record time.With Astra Security, VAPTtakes 40% less time thanother solutions.

Build trust among yourcustomers & partners

with a security certificate


A secure application calls for some bragging. Afterour engineers verify you’ve fixed the uncoveredvulnerabilities, we issue a safe-to-host certificate.This helps inspire confidence among your customersand partners.

your-business.com

Detailed steps for patchingBest practices while developmentRound-the-clock technical assistanceVideo POCs of discovered vulnerabilities and security loopholesRe-audit to ensure the issue has been fixed

We have a strong emphasis on security patching post the audit. It is important to close the loopand make the application bulletproof from hackers.

We achieve this by providing:

After the security vulnerabilities have been satisfactorily resolved, a full re-scan is conducted toensure that there are no gaps. A certificate will be then issued to confirm the same.

Application specific security mechanismsCountermeasures for known attack techniquesFramework to monitor user actions on applicationMechanisms to tackle hackers

To ensure utmost security we believe in ‘Proactive Security’ measures where we anticipate theinfiltration techniques used by hackers and recommend additional security countermeasures.

We take security in our own hands and fortify the application:

5. Methodology forpatching vulnerabilities


Additional Security Mechanisms


6. Our Security Suite

that detects, stops & nutralizes 100+ threatsA Rock Solid Firewall neutralizes 100+ threats including bad bots, SQLi, LFI, RFI etc. Automaticdecision making & dozens of security features like country blocking, GDPRcookie consent, rate limiting, fake search engine bots detection & more.

Intelligent web application firewall & malware scannerProtects against 100+ types of attacksDaily automatic malware scansCommunity-drivenNo DNS changes requiredNo routing of traffic through our serversWe never become a single point of failureProtection tailored to technology stack


Launch in 4 minutes Leverage the security communityManaged by our security expertsSelf serves dashboardReward hackersBe known as a security conscious company

Create your own communitysecurity (Bug Bounty) program

For more information, visit here: https://www.getastra.com/community-security

Your business is vulnerable. There's always a new malware or hack floating around that youare not protected against.

With community security, ethical hackers guard your website, report vulnerabilities and earnrewards. You allow people to report any security weaknesses they find through a dedicatedchannel and strengthen your website before it's attacked—at no cost to your business.

https://www.getastra.com/community-security



21

8. Our VAPT CustomersTrusted by The Ones You Trust

Astra carried out a security audit on our digital applicationwhich is a solution that allows companies to manage theirwhistleblower system. Due to the sensitive nature of theinformation that is processed in the application, we wanted toidentify all possible security loopholes. I am very satisfied withthe result and the recommendations of the audit report. It wasan eye opener. We were able to optimize the security of the appto meet the expectations of our customers.

- Olivier Trupiano, CEO, Signalement (a whistleblowing platform in Europe)

& more...

8. Awards & Recognition

22

Astra Security was awardeda grant from the FrenchGovernment under theirFrench Tech Ticket program.We were awarded by theFrench president Mr.François Hollande himself.

Astra Security was awarded‘Best Cyber Security Startup’by the PM of India Mr.Narendra Modi at GlobalConference on CyberSecurity.

Astra Security is recognizedby NASSCOM as top 50emerging cyber securitycompanies & has beenawarded with the Emerge50 award.

Exploitability


9. List of Top Security IssuesTestedThe following table captures the top security issues found. The list is illustrative of thesecurity issues tested for. During actual security audit, under head head below thousands oftests are performed including tailored tests for your application.

Vulnerabilities Tested

Configuration and Deployment Misconfiguration

Application or Framework Specific Vulnerabilities

Business Logic Flaws

Shopping Cart & Payment Gateway Manipulation

Known Security Issues (CVEs)

Weak Identity Management

Broken Authentication

Improper Authorization

Broken Session Management

Weak Input Validation

Error Handling

SQL Injection

Weak or Broken Cryptography

Client Side Script Security

Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

Clickjacking

Unrestricted File Upload

Sensitive Data Exposure

Insufficient Attack Protection

Under-protected APIs

HTTP Security Header Information

Impact

Easy Moderate

Difficult Severe

Average High

Severe

Moderate

High

Severe

Severe

High

Easy Moderate

Moderate

Easy Severe

High

Easy Moderate

Moderate

Moderate

Easy Moderate

Severe

Severe

Easy Moderate

Moderate

Moderate

Difficult

Average

Average

Average

Average

Average

Difficult

Difficult

Average

Average

Average

Average

Difficult

Difficult

[email protected] www.getastra.com

Secure your businessfrom cyber threats usingAstra Security Suite.

How can we help you? Let's talk.

fb.com/getAstra

linkedin.com/company/getastra

@getastra

Schedule a Call

Making Security Simple for thousands of online businesses

https://getastra.com/

https://getastra.com/

https://talk.getastra.com/astra/vapt-audit

https://www.facebook.com/getAstra/

https://www.linkedin.com/company/getastra/

https://twitter.com/getastra



security testing methodology

Documents