Security assessment

In an ideal situation, the security of your applications and the vulnerabilities in your code are inspected (periodically);

• Who has access to the application or source code?
• How is data being treated?
• How secure is the cloud configuration?
• Which vulnerabilities does the code contain?
• And how can hackers potentially take advantage of this?

In other words, how secure is the software?

With YieldDD’s security assessment, you’ll get answers to these questions. We provide insight, we interpret, we offer advice and we leave no stone unturned. You will receive an independent, unbiased overview of risks and subsequent steps. That way, you know precisely what the situation is and how you can act on it, whether it concerns software in a merger or acquisition (software due diligence) or your own business-critical software (software assessment).

Based on your wishes and processes, we determine the extent and components of the investigation. In doing so, we take time constraints and deadlines into account, as well as the possibilities to be transparent and to share the source code. We use benchmarks and specialist security tooling for this.

In the end, it is all about customization. The investigation depends entirely on the investigation questions. The most important investigation components are:

• Code guided security assessment
• Application penetration test
• Cloud configuration assessment

The root of many security-related failures can be found in the source code. In this part of the investigation, the code guided security assessment, we gain access to the code and investigate its security. We identify and report possible vulnerabilities.

The investigation consists of the following steps:

• Statistic code analysis with specialised tooling, and with manual (expert eye) assessment and filtering of findings.
• Dynamic expert eye analysis, where the YieldDD experts look for possible vulnerabilities in the code logic and configuration. In combination with a penetration test, we immediately validate whether the vulnerability found could be actively abused. But you can always find the vulnerability in the report, also from the perspective of ‘Defence in D(DiD). This is a cyber security approach that uses multiple security products and practices to protect the network, valuable data and information.
• Check for existing vulnerabilities in the used framework and/or external packages.

In this part of the investigation we execute an active penetration test on the software environments supplied by the client. This means an active attack on applications or web services (API) to see whether the found vulnerabilities can actually be used by hackers. We also look in detail for issues that are mentioned in the OWASP (API) Top 10 and the SANS Top 25.

We carry out two types of penetration tests:

• White-box penetration test: in this test, we have full access to the network and the source code. That makes it possible to discover potential security problems of an application fast and efficiently. In this test the application is investigated based on knowledge unavailable to external hackers.
• Gray-box penetration test: in this test we only have access to account information of the system that needs to be tested. That makes it possible to actively look for vulnerabilities that are present in parts of the application that require authorization. This technique simulates a hacker or malicious insider who can work in a more targeted way; someone with some access to the application, for example after a successful phising attack.

If your system or applications are running on a cloud platform (Azure, AWS, GCP), the level of security is partly determined by the configuration settings in that platform. If your system runs on a cloud platform, we also recommend the cloud configuration assessment for a complete picture of the status of your cyber security.

With this assessment, one of our security experts gets access to an account with sufficient rights on the cloud platform used. Next, the assessment consists of two parts:

• An automatic scan of the cloud configuration.
• A manual assessment of the cloud configuration and the scan results.

Upon completion of this process, we give you an independent and unbiased overview of vulnerabilities, risks and subsequent steps and go beyond analysis and insight. We offer interpretation and advice about your challenges and research issues.

The findings are presented in a concise and clear manner and explained in detail. Besides a clear report, we also provide a personal debriefing. 

In short, thanks to our security insights, you know the status of the software (development), what security risks exist, the level of security a system offers and whether data is being sufficiently protected. This will prevent unpleasant surprises and lead to more secure, future-proof software.