The digital transformation of organizations poses new risks that must be managed. Assessing the security of applications, websites, web services and the different digital channels and systems developed or acquired, against internal and external attacks, is a basic measure to mitigate these risks.

Status of the situation

The purpose of IT security is to guarantee the confidentiality, integrity and availability of information.
A security breach in the systems, applications or IT infrastructure will surely result in damage to the organization that could be materialized in:
  • Loss of company image.
  • Economic losses.
  • Legal, contractual or regulatory problems.
  • Loss of availability and operational problems.
  • Information leakage, improper alteration of information.

The security environment in which an organization operates is not static:

  1. Discovery of new attack vectors.

  2. Changes in infrastructure (new equipment, core software, protocols, devices, etc.).
  3. Changes in the environment and exposure of applications.

  4. Evolutionary and corrective changes in applications.

For all these reasons, organizations need to assess the risks associated with their systems, applications and normal infrastructure, with a frequency that depends on the nature of the process and the level of exposure.
 
Datasec offers several services to address the above issues.
 
The services presented below are broad guidelines. It is necessary to consider that each one can be opened in different variants that can be adapted according to the client's needs.
 
The realization of each service ends with a report in which the results, recommendations and conclusions are presented.

Solutions

Vulnerability scanning

A Vulnerability Scan is the identification, analysis and reporting of vulnerabilities (understood as a flaw that allows a threat to become a risk).

The scanning of ports, services, applications can be:

  • External : it is performed remotely, assuming the perspective of someone outside the organization.

  • Internal : the security profile is examined from the perspective of someone internal or who has access to the organization's systems and networks.

  • Mixed : it combines external and internal perspectives.

There are automated tools that allow to obtain a primary diagnosis of the security of an application and the infrastructure on which it runs.
It is essential to be able to count on analysts who can take these inputs and go deeper into the vulnerability verification.
 
Datasec has tools and experience in scanning vulnerabilities in applications that allow to have a complete diagnosis of the security of the system being offered and the level of compliance with internationally recognized best practices such as: CWE / SANS Top 25, HIPAA, ISO / IEC 27001, NIST 800-53, OWASP TOP 10, PCI DSS, Sarbanes-Oxley.

Ethical Hacking 

An ethical hack is the service carried out by specialized personnel who, using the same tools and techniques as a real attacker (a cracker), seeks to identify security flaws in order to report and correct them (instead of using those flaws to cause damage or for personal gain).

An ethical hack seeks to provide an answer to the following questions:

  • What can an attacker know?
  • What can an attacker do with that information?
  • Could an attack attempt be detected?
  • Could the attack be stopped?

For this purpose, a methodology is usually used for the following phases:

  1. Recognition
  2. Scanning and enumeration
  3. Access
  4. Access maintenance
  5. Deletion of fingerprints

Types of ethical hacks

  • Black box: there is no information on the evaluation objective, simulating the attack of an external attacker who seeks to penetrate the systems from the outside.

  • White box: unlike black box hacking, ethical hacking is performed with full knowledge of the target's network, infrastructure and systems. An informed attack is simulated.

  • Gray box: partial knowledge of the target. An attack is simulated by someone who has partial information and seeks to gain unauthorized access.

Secure Development Assurance 

In recent times, security in software development has evolved to the point that today there are different best practice frameworks against which development processes and models can be evaluated from a security point of view and throughout the entire application lifecycle.

Using the frameworks, Datasec consultants can perform a gap analysis that allows the organization to have a state of the art on the practices it uses and does not use in terms of security in order to identify strengths to replicate in its different projects and opportunities for improvement to incorporate.

This service requires the generation of some interviews with personnel from the organization's development team in order to go through the different aspects they wish to evaluate.

Security training in software development

It has already been fully proven that to produce secure software is necessary:

  • [Technology ] Have a development platform that favors security.

  • [Processes ] Have development processes that incorporate an adequate form of security aspects.

  • [People ] Train development personnel in security aspects.

It is common to find organizations that incorporate security elements and technically very competent personnel when using a technology. However, the development processes do not include security considerations and sometimes the personnel do not have a "culture of security", which means that the products generated are not as secure as we would like them to be.

This service is aimed at training development personnel in security through a recording of the considerations they should have during the entire software life cycle.

The course introduces concepts, tools and frameworks that will allow participants to immediately transfer the acquired knowledge to their daily work.