Web Infomatrix Threat Modeling service is a key security analysis technique that can help development and management teams identify critical risks and make better security decisions. It is essentially a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through security glasses.
Web Infomatrix security experts thoroughly assess application designs throughout the SDLC for both technical and non-technical perspective. This procedure helps optimize Network/Application/Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.
The result is a detailed report of findings and specific recommendations for remediating any vulnerabilities found.
Web Infomatrix 's Vulnerability Assessment Service helps safeguard your organisation against failure, through
Threat Modeling is a key and often under appreciated security analysis technique that development and management teams use to identify critical risks and make better security decisions. Whether performed on an existing application or throughout the software development lifecycle, Threat Modeling is an essential component of risk management because it helps quantify and visualize the otherwise intangible threats that an application carries. The time required to analyze a large number of applications is greatly reduced, while exposing REAL threats with minimal false positives. Furthermore it facilitates the co-operation between design decisions, implementation guidelines, testing activities and risk mitigation and produces a persistent and tangible asset that can be used at a later date when new risks are uncovered.
For many organisations, security is more of an afterthought and bolted on in the later stages of the software development lifecycle (SDLC). In this context, a threat model begins with identifying the applications features and user/attacker entry points, noting feature characteristics such as its relevancy to security and access level required to perform related tasks. These high-level threats are then broken down into sub-threats that can be more easily addressed and prioritized using various ranking techniques.
Proactive organisations integrate security at all stages of the SDLC and in doing so, threat analysis is used to its full potential. The process by which threats are characterized and ranked can be similar to the one described above, however the threat model will evolve as the product progresses through its lifecycle and be leveraged for decision making. For example, at the requirements/design phase, you might reject the addition of a feature because of the additional attack vectors it creates.
Effective threat analysis requires security expertise as well as intimate knowledge of the application and implementation. We work closely with your team to ensure that we identify the full range of threats your application faces. Our process includes the following steps:
Web Infomatrix's Penetration Testing service can meet the requirements of many standards and guidelines in relation to information security. Our Penetration Testing team has working knowledge of the following standards and attempt to exceedingly meet thier requirements.
The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.
ISACA was established in 1967 and has become a pace-setting global organisation for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.
The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.
The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.
BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and after several revisions, was eventually adopted by ISO as ISO/IEC 17799. ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007. The BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2, which later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005. BS7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. Administrative Simplification (AS) provisions of HIPPA, require the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.