Customer Reviews
“They deliver on their promises and work hard towards making you aware of any potential threats”
Redbot Security
1312 17th Street #523, Denver
-
a month ago
Another fantastic work. Scanning and identifying the issues in a timely fashion was impressive. Their professional suggestions were highly helpful. Looking forward to continuing working with Redbot Security -
6 months ago
Great company to work with. I'm glad I picked Redbot for my security audits as everyone there are talented and very easy to work with. They deliver on their promises and work hard towards making you aware of any potential threats … More or issues in your IT infrastructure as well as following up with you to ensure that any issues have been corrected.
I would recommend this company to anyone who's looking to improve their network and IT infrastructure with best practices. -
2 months ago
It was a pleasure to work with RedBot security to perform an external penetration test for us (GYANT.com). Everyone I've interacted with is very professional and responsive. The penn test was thorough and well-documented. I also appreciate … More the prompt re-test. -
a year ago
I absolutely recommend Redbot Security. Phenomenal service. Accuracy and getting the job done in the timely fashion is very important to my organization. Truly impressed by their professionalism and appreciated their suggestions and directions. … More Looking forward to continue working with them. Redbot Security rocks…. -
a year ago
Highly Recommend. From initial contact to scope and report delivery, all top-notch. 3rd Pen-test company that we've used and they were by far the best.
Redbot Security will perform a Web Application Penetration Test on the following web applications, impersonating the user profiles indicated in each case:
Testing from an Anonymous User profile is any user on the Internet that has access to certain functionality from the web application which is available to unauthenticated users. This usually includes a login page for users to authenticate against the application and, if the authentication succeeds, users gain access to more application functionality.
The other attacker profile mimics registered users of the application, having access to certain functionality that isn’t available to the unauthenticated public but is available to users that belong to that specific profile.
Tests will look for the following issues, among others:
- Review of session management, focused on verifying that proper tracking of the user is performed throughout the application.
- Authentication/authorization and communication mechanisms, aimed at examining that proper authentication is in place and that authorization controls are applied to application user’s actions.
- Information leakage, intended at determining if confidential information or information that might otherwise aid an attacker is disclosed by the application or its environment.
- Input validation, verifies that all user input is correctly validated, and sanitized if necessary, to ensure that the application behaves as expected independently of the submitted input.
- Output encoding mechanisms, must be correctly enforced by the application to ensure a consistent interpretation of the application’s output.
- Filtering layers, focused on verifying that the necessary filtering mechanisms are in place to proactively defend against common web service attacks.
- SSL encryption analysis, examining the security levels of the encryption ciphers supported by the web server, as well as the proper use of certificates (both server-side, and client-side if supported).
- Parameter passing, testing that all parameter handling is performed in a secure manner. For example, looking for authorization information mishandled by the application, which instead of being stored server-side is sent by the user.
- Application logic flow, aimed at verifying that the intended application flow is enforced by the application (i.e. that an attacker is not able to control the application flow at will, for example, bypass controls).
- Cross-site scripting, aimed at identifying cross-site scripting vulnerabilities throughout the application due to improper encoding of user supplied input.
- SQL injections, focused on determining when user input is used to construct database queries and testing the possibility of specially crafting input to control the queries, beyond the programmer’s intention.
- Path traversals, aimed at identifying when user input is used to construct file paths and attempting to specially craft user input to escape the directory structure imposed by the application.
- XML and Xpath injections, determining user input used to construct XML or Xpath queries and verifying if it is possible to inject XMLtags or modify the Xpath query.
- Certificate testing, which consists of checking that the certificates used by the application are proper (i.e. have not expired, are issued by a trusted certificate authority and are issued to the correct domain name).
- Integer underflow/overflow problems, aimed at identifying such conditions when dealing with numeric user input.
- Buffer overflow causing conditions, verifying that proper bounds checking are performed when handling data.
- Others that could be present on the application reviewed.
It is worth mentioning that the Redbot Security tests not only cover but go beyond the scope for the current OWASP Top 10 list of the most critical web application security flaws.
Redbot Security utilizes a comprehensive assessment methodology, providing results with the utmost accuracy and ensuring representational coverage of risks facing an application or information system. This assessment methodology is based upon understanding of the business use cases, types of data stored, processed, or transmitted by a given system or system component. This evaluation involves a form of threat modeling by which system components are broken into their constituent elements representing use cases, data, users, processes, components, technologies and boundaries. Once these elements are decomposed, potential risks affecting their interaction is evaluated by the assessment team
We are passionate about delivering cost effective solutions that always consider our customer’s priorities and goals first.
Personnel within our combined project team are Certified Incident Responders and Industrial Control System Certified – Incident Command System, FEMA, U.S Department of Homeland Security Cyber Emergency Response Team, OPSEC, Influence of Common IT Components ICS, Mapping IT Defense to ICS, Current Trends (threats) (vulnerabilities)– ICS, IT & ICS Attack Methodologies, ICS Domains, Determining the Impacts of a Cybersecurity Incident. Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), GIAC Penetration Tester (GPEN) GIAC Web Application Penetration Tester (GWAPT), EC Council Certified Ethical Hacker C|EH, Certified Digital Forensic Examiner (CDFE) Defense Cyber Crime Institute (DCITA) DoD, Certified Digital Media Collector (CDMC) Defense Cyber Crime Institute (DCITA) DoD, Certified Information Assurance Security Officer (IASO) DoD. Penetration Certification, Security+, CCNP, CCNA, CCDP, CCDA, MCSE, A+ CWNA CWDP and a variety of firewall and network solution Certifications.
About Redbot Security
Redbot Security provides industry leading manual penetration testing. Our team of CISSP Senior Level Engineers are fully certified ethical hackers. We specialize in controlled, manual exploitation of Wireless, Internal, External, App, ICS/SCADA Penetration Testing and provide the industry’s best customer experience, scoping and service delivery.
Phone: 866-4-REDBOT
Related Posts
TELL US MORE ABOUT YOUR PROJECT
We have the solutions to create awareness, improve your security posture and manage ongoing threat detection. Protecting and Defending your Network and Data
Redbot Social