• Overview
  • Infrastructure Security Assessment
  • Application Security Assessment
  • Introduction
  • Why Sumeru

Security Assessment

Secure environment by definition comprises of a secure network, secure hosts and a secure application.
The amount spent on security measures to control or contain losses should not exceed the projected loss in the event of any calamity. Security assessment makes sure that cost-effective security can be achieved when the reduction in risks through the implementation of safeguards is balanced with costs.

Why Sumeru for Security Assessment

Sumeru offers a range of cost-effective security assessment services that aim to identify security loopholes at all these levels and help the company in securing its environment and resources. Our methodology is based upon globally accepted standards, Open Source Security Testing Methodology Manual (OSSTMM) and Open Web Application Security Project (OWASP).

Add to this the fact that we also implement industry best practices and have incorporated several tools and techniques that we have developed through in-house research and development, and you can rest assured that you would get the BEST when you are on deal with Sumeru.

Our team works with you to establish actionable metrics and a tailored, holistic risk management dashboard at the start of each project.

  • Our Approach
  • VAPT
  • SADR

Our Approach for Infrastructure Security Assessment

Sumeru’s approach to Vulnerability Assessment, Penetration Testing and Secure Architecture Design Review focuses both on consequences for the object itself and on primary and secondary consequences for the surrounding environment. It also concerns itself with the possibilities of reducing such consequences and of improving the capacity to manage future incidents.

To ensure that we achieve this, we constantly monitor new information security news and trends and maintain a comprehensive and up-to-date database of everything that is happening in the world of information security.

Our methodology is an evolving system of practices and guidelines, developed over a period of time from our past experience and in-house Research & Development initiatives. The framework has been strengthened by adopting globally accepted and recognized, best practices and standards. At present, our framework is largely based upon the Open Source Security Testing Methodology (OSSTM) and Open Web Application Security Project (OWASP) which cover

  • Vulnerability Assessment and Penetration Testing Authorization, authorizing Sumeru to conduct the assignment.
  • NDA (Non Disclosure Agreement) for clients’ benefit, to assure the client that We will do everything possible to maintain the confidentiality of information gleaned and vulnerabilities detected in exercise.

Sumeru’s Vulnerability Assessment

Sumeru constantly monitors new vulnerability announcements and maintain a comprehensive and up-to-date database of vulnerabilities and vulnerability checks. Each record contains details on the network security issue or vulnerability and suggestions on how to patch and secure the software or hardware involved.

Sumeru’s Vulnerability Assessment is typically performed according to the following steps:

  • Cataloging assets and capabilities (resources) in a system.
  • Assigning quantifiable value (or at least rank order) and importance to those resources
  • Identifying the vulnerabilities or potential threats to each resource and the criticality of each vulnerability.

    The various phases in which these steps are implemented are:

  • External Vulnerability Assessment
  • Internal Vulnerability Assessment
  • Threat Profiling and Analysis
  • Vulnerability Assessment Reporting

    To start with, Sumeru performs a security mapping of an organization's network and simulates attacks originating from either the internal or the external network.

    Once the security mapping is complete, a detailed vulnerability report specifying the security breaches, along with several practical and easy-to-apply solutions to fix those vulnerabilities is generated.

    Sumeru's Penetration Testing

    Sumeru’s approach to Penetration Testing focuses both on consequences for the object itself and on primary and secondary consequences for the surrounding environment. It also concerns itself with the possibilities of reducing such consequences and of improving the capacity to manage future incidents.

    To ensure that we achieve this, we constantly monitor new information security news and trends and maintain a comprehensive and up-to-date database of everything that is happening in the world of information security.

    • SADR

    Very often, it is an exposure point on the network perimeter of a company that proves to be the loophole in the company's security arrangement. When a company opens its perimeter for consumers and business partners, system-level security becomes even more critical as it forces an increase in exposure points.

    Secure Architecture Design Review is a comprehensive service that measures the security health of your IT infrastructure. Sumeru’s consultants evaluate the configuration, security settings and operating procedures and policies of your company in an effort to reduce the attack surface.

    • Introduction
    • Our Approach
    • App PT
    • SCR
    • Threat Model

    Application Security Assessment

    According to a recent study conducted

    • 70-80% of vulnerabilities now exist at the application layer
    • 3 out of 4 business websites are vulnerable to attack
    • 90,000 webs sites were compromised - and their visitors infected -- in one attack in January 2008.

    Web applications have become ubiquitous today as they are available to potentially millions of users with internet access, without the need to distribute and install software on client computers.

    Applications have become more prone to common internet security threats such as greater risk of data theft, denial of service, application compromise, etc.

    Some advantages associated with application security assessment are identification of issues related to:

    • Vulnerabilities and risks in your web applications
    • Known and unknown vulnerabilities (0-day)
    • Technical vulnerabilities: URL Manipulation, SQL Injection, Cross Site Scripting, Session Hijacking, Buffer Overflow, Web server configuration, Insecure Communications etc.
    • Business Risks: Credit card stealing, Identity Theft, Pricelist modification, Unauthorized funds transfer, Logical bombs, Application backdoors, Fraud detection etc.

    Our Approach for Application Security Assessment

    Sumeru's application security assessment measures the security resilience of the application. We carry out several processes in a structured manner to identify lacunae that could compromise the system.

    The following additions to our service suite contribute immensely in attaining the ultimate goal of ‘Comprehensive Application Security’ for the client organization.

    • Application Security Partner Model: This is a unique ‘Team in Team Model’ on project basis, where the client organization would have the advantage of having the Sumeru Application Security team as their extended arm. In this model, continuous security training would also be provided to the development team of the client organization.

    • Training, Remediation and Certification: A team from the client organization would be trained on ‘Best Practices’ for Secure Coding and on building a risk based ‘Threat Model. Apart from this, they would also be given an overview on Application Security. Based on the outcome of the ‘Assessment Phase’, our team of 40 – 50 Application development Professionals with secured coding experience would work towards fixing the ‘security holes’. This support may be either advisory or hands on, depending on the client’s requirement.

    Post Remediation, we would test the application one more time to be absolutely certain that the client’s site is secure and issue the client with a ‘SAS Certificate’. The ‘SAS Certificate’ proves the fact that the client’s site meets stringent security criteria and is immune to attacks.

    When you deal with Sumeru, you not only get the service that you pay for, you also get other services embedded within the primary service offering, thus ensuring that you get the BEST value for your money!

    Application Penetration Testing at Sumeru

    Our application security experts will look into the security aspects of the application which includes the study of threats pertaining to code, environment, communication and database with an aim to unravel gaps that could expose sensitive data to unauthorized users or allow such unauthorized users to manipulate data or even allow them to render the system unusable and the data irretrievable.

    We carry out our Application penetration testing in either Whitebox approach or Blackbox approach, as per the client’s requirement.

    SCR at Sumeru

    Industry led research shows that code reviews are a significantly more cost effective testing solution than traditional dynamic black box testing. This is why Sumeru has developed a unique and innovative Secure Code Review process.

    Secure code review is the process of auditing code for an application on a line by line basis for its security quality. Code review is a way of ensuring that the application is developed in an appropriate fashion so as to be “self defending” in its given environment.

    Peer review is not a substitute for security code review. Peer code review is typically used to find functional bugs, so unless the review is targeted to find security vulnerabilities and, more importantly, the reviewers have a deep understanding of application security, many of the more critical security vulnerabilities and design flaws will be missed.

    Secure code review is a manual process. It is labor intensive and not very scalable but it is accurate if performed by humans. For this, Sumeru has put together a highly skilled research and innovation team comprising of Technical Architects, Security Domain Specialists, Project Managers and others for carrying out Secure Code Review projects. We have also come up with a pragmatic framework for undertaking Secure Code Reviews, with multiple components.

    Some of the components are:

  • Application Component Study
  • Questionnaire supported Discovery
  • Risk & Attack Profiling
  • Reviews
  • Business Impact Analysis
  • Technical Flaw Analysis
  • Business Risk Report
  • Technical Information Report
  • Application Context Report
  • Specific Attack Profile Document

    • Threat Model

    Our business analysts will analyze the requirements met by the software application to ensure that it meets the desired norms and levels and draw the necessary Threat Models highlighting the threats, their mitigation strategies and the application access points.

    This would help your company in deciding the most cost effective and suitable security measures to protect data.