Our philosophy is that good testing requires good planning. However, good testing also requires a “look around” to understand the system as it really is used — in a way that cannot be ascertained from a specification document. As a result, we provide an equal mix of three different approaches to cyber security testing: 1) prescribed functional tests for security features (to ensure they work as they are expected), 2) exploratory testing of the application to determine weak points, attack vectors and missing or extra functionality, and 3) automated testing for common, high risk vulnerabilities.
For this reason, iMC’s security testing methodology is based on the standards set forth by the Open Web Application Security Project (OWASP). In the past, the security industry has lacked a comprehensive security framework for classifying vulnerabilities based on the potential damage that would be experienced by the organization under attack. Furthermore, OWASP supports government agencies by providing software tools and knowledge-based documentation to protect against identified threats. Based on our team’s extensive industry experience, OWASP has filled this gap by providing impartial, practical information about Application Security to organizations worldwide.
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Access Controls
A8: Cross Site Request Forgery (CSRF)
A9: Using Component with Known Vulnerablilities
A10: Unvalidated Redirects and Forwards
Our approach to cyber security external penetration testing is a to employ a three-step process for developing and executing test cases:
Exploratory tests are performed, based on publicly available knowledge, specification documentation, system understanding, industry experience, etc.
Individual vulnerabilities are tested, based on an understanding of the threats previously identified in the threat modeling exercise.
Finally, any vulnerabilities realized during the testing phase are classified based on the risk of exploitation they represent.
iMC brings a team of highly-technical, security professionals that are uniquely equipped to exploit weaknesses in the same manner that unethical hackers/attackers would. While iMC utilizes a number of security professionals with various skill sets, our key team members come with some of the following credentials:
Award winning security work
- Trained Department of Defense (DOD), White House, US Marine Corps, Navy, Air Force, Lockheed Martin, etc.
- Taught Ethical Hacking in all 50 states and 10+ countries
- Lead Instructor on Cyber Threat and Response Exercises for all Military Branches
- Information Assurance & Defensive Cyber Operations – US Army
- EC Council Instructor of the Year (2014)
- Former government CISO & Top 100 CSO in the USA by CISO Magazine
- SANS – GIAC Curriculum Developer & Instructor & International Advisory Board
- FBI Infraguard
- CISSP, GICSP, CISSP, GCFA, GSEC, GCIH, GCIA, GCWN, GPEN, GSEC, GSNA, CISA, C|HFI, C|EH, CISM, CCSA, CCSE, CCNA, CDE, CNA, MCP, MCDBA, MCITP, Security+, Certified Trainer