Comprehensive security discovery - combining penetration testing and source code analysis.
Former Chief Executive Officer
Penetration Testing and Source Code Analysis - two effective ways to uncover security vulnerabilities. How can you get the best of both worlds? For the greatest Return On Security Investment (ROSI) AsTech recommends a hybrid assessment where penetration test findings drive the source code analysis as part of a unified, collaborative effort that delivers clear results in terms of actual risk.
A hybrid assessment consists of performing a penetration test in combination with a source code assessment, providing the most comprehensive set of vulnerability findings and giving a much more accurate picture of the true risk of exploitability. A Hybrid assessment can focus on confirming the vulnerabilities found in a penetration test within the source code and verifying whether service layer controls are effective. Another value of a hybrid vulnerability assessment approach is that more false positive results are identified as part of the process, rather than after the fact, saving time and money.
AsTech’s security experts perform both external penetration testing using Dynamic Application Security Testing (DAST) and source code analysis using Static Application Security Testing (SAST). Penetration testing provides the significant perspective gained from an attacker’s point of view, and drives part of the source code analysis, verifying the initial findings in the actual lines of code.
Likewise, findings from the source code analysis are checked to verify if they are exploitable from an external perspective. This combination of source code review and penetration testing services offers the most well-rounded view of an application’s security posture.
The Network Application Penetration test can be combined with any level of Application Security assessment to provide a customized Hybrid Assessment tailored to your specific business needs.
A penetration test is the first phase of a Hybrid Assessment. However, this is done with full access to the background source code base. This allows AsTech engineers to zero-in on penetration test findings in the actual source code and verify the risk levels of the vulnerability.
An application source code analysis is the second phase of a Hybrid Assessment. This will discover additional vulnerabilities that a penetration test may not find, but would be available to a hacker if the application is breached. If the client partner chooses greater levels of analysis, AsTech engineers will identify any potential structural flaws in its design. This includes issues related to application logic or architecture.
The deliverable from this hybrid security assessment is a comprehensive report of all findings, ranked by secerity for ease of remediation prioritization. AsTech has developed reporting mechanisms which allow for client partners to exchange information regarding mitigating control within the report. This results in greater participation and 'buy-in' from key stakeholders.