Code Review Penetration Testing Service

A code review will be carried out on the product source code over several days as necessary based on the programming language type and product complexity. This will involve detailed analysis of the code and will output a list of vulnerabilities and areas where best secure code design practice can be improved.

Specific and general mitigation and remediation options and ongoing consultancy to resolve these issues. Providing a secure product to your customers requires a good understanding the types of threats that are prevalent in the industry today, how your product can be attacked and a full understanding of all the software used to build the product. With the shortage of cyber security skills in the industry and the increased time to market pressures, building and maintaining this knowledge and the expertise is critical.

Covid-19 : Remote Delivery Options

We want to reassure customers that we can still provide internal penetration testing services. We have a range of remote connectivity options and solutions for remotely testing, and we will work with you to ensure the testing can still go ahead as planned and on time.

Benefits of Code Review Penetration Testing

001-online-support

Experienced Consultants

With over 15 years combined corporate expertise in the field of information assurance & penetration testing

002-white-hat

Bespoke penetration testing

We will develop a test that fits your business needs

003-hacking

Testing Tools

We use open source and commercial tools and our own testing apps developed by our in-house software development team

004-compliant

Fully accredited

Certified by CREST and with qualifications from EC Council, Offensive Security and SANS

005-line-chart

Reporting

Clear and easy to understand reports including recommendations for remediation and improvement

006-coins

Fair Pricing

Fixed price proposals with fully detailed project scope and no unexpected costs

Talk to us, before you need us

If you would like your internal or external network tested or you have a web application/portal that requires testing then we can help with any pen-testing project.

Exhaustive, Detailed, and Insightful

Drawing on their in-depth programming and secure development experience, our senior testers will work through a six-stage review process to determine the security of your product’s source code. Depending on the complexity of the project, the testing phase may extend over several days, but it will be completed as timely as possible. Ultimately, our experienced code review team will provide you with a detailed analysis of your code — highlighting any vulnerabilities and areas where secure code design best practices can be improved

Testing hits the highest benchmarks possible in terms of industry standards, allowing our experienced team to potentially uncover a whole host of issues, including injection vulnerabilities, memory leaks, buffer overflows, improper or weak cryptography security, compliance for data protection, and much more

Reviews Across All Coding Languages

Often depending on an organisation’s ambitions, staff experience, and technology, there’s a whole host of coding languages to choose from when creating a digital product. From Python and Java to C and PHP, our experienced team of code reviewers will put your application through its paces, no matter the language or complexity. With a severe lack of cyber security skills across the industry and increased time-to-market pressures, our multi-language cyber security knowledge is invaluable for organisations looking to bring a digital product to market

Penetration Testing Services Available

Wizard Cyber offer a range of penetration testing services to fit your requirements. Please click on the links below to find out more information about each pentest service.

START YOUR PENETRATION TESTING TODAY

Our Process

The 5 steps below are broad categories and can generally be applied to multiple infrastructure assessment types, regardless of whether it is internal, external or some other combination.
timeline_pre_loader

Input/output Data Interfaces

Manual code tracing and automated testing to locate application interfaces and review sanitization of input or output data. This testing is designed to locate potential injection vulnerabilities that may allow an attacker to send malicious input that affects the execution flow

Secure Coding Techniques

Further analysis will be performed to identify sections of code vulnerable to issues such as format string errors, race conditions, memory leaks, buffer overflows, integer overflows or command injection points.

Transport Security

Manual examination will be performed on the protection mechanisms for the network traffic. Improper use of PKI and SSL/TLS validation vulnerabilities will be investigated.

Cryptography

Code will be verified for cryptographic implementation errors that could affect the confidentiality and integrity of data: weak password generation systems, weak random number generators and incorrect use of high level cryptographic primitives.

Data Storage

A review will be carried out to test the protection measures for sensitive data storage. Including Compliance with data protection regulations, suitable use of operating system or platform storage mechanisms. Storage of personally identifiable information and appropriate storage of application sensitive security tokens or keys

Access Control

A review will be carried out to make sure that proper permissions are in place for interfaces, including IPC interfaces, network interfaces requiring authorization/authentication, and filesystems.

Certified By

CREST
Certified-Ethical-Hacker
Offensive-Security
Tiger-Scheme

FAQs

If you have any further questions about our penetration testing service that are not answered below please feel free to call us on 0333 311 0121 or book a meeting with one of our cyber security experts
What is penetration testing?
Penetration testing is where someone takes on a hacker’s role and attempts to compromise or gain unauthorised access to a network or an application. Also known as white hat hacking, a qualified professional will use automated tools and manual processes to uncover any vulnerabilities and misconfigurations that present a cyber-security risk. A penetration test will give companies an overview of their security posture, highlighting flaws and allowing them to be patched before malicious hackers target them. Also known as white hat or ethical hacking, penetration tests are a vital part of an effective security strategy and are a mandatory component of many compliance schemes.
What are the different types of penetration testing?
Several types of penetration testing can be defined as either black, white or grey box testing. It’s also worth specifying there is a difference between an application test and an infrastructure test. As the name suggests, an application test is where a tester looks for flaws within an application to see if there’s any way to get at data or manipulate functionality in a way that wasn’t intended. This can involve cookie theft, XSS, man-in-the-middle attacks etc. On the other hand, infrastructure tests are where the tester attempts to gain entrance to a corporate network.

Black box testing
Black box testing is the closest simulation of real-world hacking in that the tester will know very little, if anything, about the target other than what is publicly available. These are often the least time-consuming tests as it relies solely on the tester discovering vulnerabilities in outwardly facing components. However, whilst these tests accurately represent real-life situations, they will not pick up any vulnerabilities, or misconfigurations present internally. Therefore, they cannot predict what damage an internal threat may cause.

White box testing
White box testing offers the most thorough security test. The tester has a full understanding of the application or infrastructure, how it works, and access from various levels. Likely, they’ll even have access to the source code or have a full detailed map of the internal infrastructure. The tester will probe for vulnerabilities and misconfigurations to gain access from an external position and look to see what damage can be done from an internal perspective.

Grey box testing
Grey box testing is a blend of black and white box testing and is often the most popular test type. The tester will have limited knowledge of the target, potentially including some documentation. They will often have basic user-level access, allowing for partial testing of the target’s internals.
What is the difference between a vulnerability assessment and a penetration test?
The terms penetration test and vulnerability assessment are often wrongly used interchangeably. A vulnerability assessment uses an automated tool to scan a network or application for known vulnerabilities. A penetration test is more involved and encompasses many aspects, providing you with a more comprehensive overview of your overall security.

A vulnerability scan may well be used in the initial stages of a penetration test to see any easily exploited flaws to work with. The tester will then go a step further, using brute-forcing, code injections, social engineering and other methods to exploit the vulnerability to gain access.
What are the stages of a penetration test?
All penetration test projects will start with an accurate scoping. Once the boundaries have been agreed upon and a goal decided upon, testers will begin some reconnaissance. This is the starting point for any hacker and the beginning of the cyber kill chain. This may include looking for any related URLs or domains that could be considered in scope and increase the attack area or conducting some vulnerability scans on their target. If social engineering is included in the test, recon activity may include searching publicly available sources for staff contact details, staff pass designs or email address formats.

The testers will then attempt to exploit any weakness found to gain unauthorised access. This can often have a trial and error-based approach. If successful, the tester will find out the extent of a hacker’s potential reach, compile some evidence and then provide a detailed report along with remediation advice.

Tests will often follow these steps:

  • Scoping
  • Reconnaissance
  • Active Scanning and Vulnerability Analysis
  • Mapping and Service Identification
  • Application Analysis
  • Service Exploitation
  • Privilege Escalation
  • Pivoting
  • Reporting & Debrief
Do I need a penetration test?
It’s recommended that businesses perform penetration tests at least annually or whenever a significant change is made to the environment. Certain compliance packages, such as PCI DSS, make regular penetration tests mandatory. If you want good cyber security, you need a penetration test.
What will I find in my penetration test report?
The content of a report will always depend on who has written the report. Wizard Cybers reports always contain a high-level business executive summary before drilling into an in-depth breakdown of each vulnerability, weakness or misconfiguration discovered, along with the mitigation and remediation advice. We will provide this in order of severity and priority.
How often should penetration testing be carried out?
Penetration testing should be conducted at least once per year.

We would also recommend conducting a penetration test any time you make significant changes to your infrastructure or network, such as when you make an upgrade to software or move to a new office. Our team can advise the best solution for your organisation.

Contact us for more information

Please fill out the form below or call us directly on +44 (0) 333 311 0121.

Loading