Returen to PCI services


Penetration Testing

What atsec offers
atsec China offers a variety of network vulnerability assessment and penetration testing services. Using our expertise in operating system and network appliance evaluations, we are able to offer unique penetration testing services customized to your company's specific environment and requirements. We have worked closely with organizations in both the private and public sectors and helped ensure they have the most thorough and up to date understanding of their organization's security posture.

We understand that your web servers, databases, networks, and mainframes are critical resources that need to be treated with great care. Our project procedures require that our penetration testers work closely with your team to reduce any risk that your operations are adversely affected during penetration testing. We work to ensure that any testing is properly scoped and that escalation plans are in place before the testing commences.

We offer penetration testing related to:

  • Network and Application Penetration Testing
  • Mobile APP Penetration Testing
  • IoT Penetration Testing
  • Mainframe Penetration Testing
  • Social Engineering Testing

atsec China maintains the @PT LAB which has its own methodology and knowledge to perform penetration testing.

Network and Application Penetration Testing
We offer network and application penetration testing service which is performed automatically and manually by atsec penetration testing experts.

Network penetration testing aims to identify and exploit vulnerabilities in your networks, systems and network devices. Emulate an attacker to gain access to an end user's system, this involves uncovering user authentication credentials, administrative privilege escalation, deep packet inspection bypass, attempting to environment compromise, etc.

Application penetration testing aims to identify and exploit web application vulnerabilities. OWASP methodology is considered for our web application penetration testing, and this involves parameter tampering, cookie poisoning, session hijacking, user privilege escalation, credential manipulation, backdoors and debug options finding, web and application servers misconfiguration, input validation bypass, SQL injection, cross site scripting, etc.

Mobile APP Penetration Testing
Mobile APP testing aims to identify vulnerabilities within the mobile application, and these vulnerabilities will may lead to leak the sensitive information. The Mobile App Security Verification Standard (MASVS) and associated checklist will be used. A typical security test is structured as follows:

  • Preparation - defining the scope of security testing, including identifying applicable security controls, the organization's testing goals, and sensitive data.
  • Intelligence Gathering - analyzing the environmental and architectural context of the app to gain a general contextual understanding.
  • Mapping the Application - Mapping provides a thorough understanding of the app, its entry points, the data it holds, and the main potential vulnerabilities.
  • Exploitation - in this phase, the security tester tries to penetrate the app by exploiting the vulnerabilities identified during the previous phase.
  • Reporting - in this phase, which is essential to the client, the security tester reports the vulnerabilities which can be exploited and documents the kind of compromise.

IoT Penetration Testing
We offer IoT penetration testing service, including Analysis and exploitation of firmware, Exploitation of embedded web applications, Exploitation of IoT mobile applications, IoT hardware hacking, Radio hacking, etc.

  • • Analysis and Exploitation of Firmware - We will obtain and analyze the content of the firmware, and emulate firmware for dynamic analysis, and try to discover backdoor accounts, injection flaws, buffer overflows and other vulnerabilities. We will also assess the device’s firmware upgrade process and boot process to ensure that upgrade functionality is secure.
  • Exploitation of Embedded Web Applications - We will try to discover and exploit some IoT common vulnerabilities, such as command injection, Cross-site scripting (XSS), directory traversal, authentication bypass, session hijacking, XML External Entity (XXE), cross-site request forgery (CSRF), and other business logic flaws.
  • Exploitation of IoT Mobile Applications - We will firstly acquire IoT mobile applications, then separately perform the static and dynamic analysis. The static analysis includes reverse engineering the application code, unauthorized code modification, cryptographic based storage strength, poor key management process, etc. The dynamic analysis includes insecure application storage, unrestricted backup file, insufficient WebView hardening, SSL pinning implementation, session timeout protection, etc.
  • IoT Hardware Hacking - We will examine the physical security and internal architecture of the device. This service may include component indication, firmware extraction, identification of test points, and reconfiguring the device’s hardware to bypass authentication, intercept traffic, and/or inject commands, etc.
  • Radio Hacking - We will test communications to and from the device. This includes testing the cryptographic security of encrypted transmissions, the ability to capture and modify transmissions of data.

Mainframe Penetration Testing
atsec have unparalleled expertise, skills and knowledge of mainframes. We are the company that has evaluated z/OS and other applications at the stringent EAL4 and EAL5 level for the Common Criteria certification. These evaluations include thorough analysis of security functionality using design information from the architectural level to source code analysis. Included are independent tests (penetration tests) as well as assessment of developer testing and a thorough vulnerability analysis. Check http://www.atsec.com for the full list.

Our mainframe operating system penetration testing uses a four-step process to exploit your mainframe either via authorized access or by compromising access control mechanisms:

  • Organizational Review - to obtain an overview of the operational environment and security infrastructure, as well as establish project working protocols and goals.
  • System Audit - to further understand, in depth, the system configuration, enabling identification of potential vulnerabilities in the configuration. The audit identifies areas to potentially exploit for penetration.
  • Penetration Test - perform manual and automated penetration tests based on the acquired knowledge of the environment obtained in the previous steps and industry standard methods.
  • Security Impact and Recommendations - provide security impact statement and recommendations. These recommendations can be used as input to a risk assessment plan in order to implement recommended corrective actions.

Social Engineering Testing
We offer social engineering testing service for many organizations to take a closer look at one of their most vulnerable targets: their employees. Social engineering is an attack method that induces a person to unknowingly divulge confidential data or to perform an action that enables you to compromise their system. Social engineering testing we can provide includes but not limited to the following aspects.

  • Impersonation - The attacker impersonates a person within the organization with power over someone with the necessary information or access privileges and asks the subordinate to gather the information or perform the task required.
  • Shoulder Surfing – The attacker attempts to obtain information such as personal identification numbers (PINs), password or other confidential data by looking over the victim's shoulder.
  • Email/Website Phishing - The phishing email messages may direct you to spoofed websites. The testers try to trick you into providing your user name and password so that they can gain access to an online account. Once they gain access, your or company’s confidential information may result in leakage.
  • Voice Phishing (Vishing) - Vishing is IP telephony’s version of phishing and uses voice messages to steal identities and financial resources.

Why our service is important to you
Regular penetration tests are an appreciated measure to guarantee a current overview of your company's security. Deficiencies in organizational processes for intrusion detection and reaction can be identified. Penetration testing shows whether a company's security policy is a living document or just another piece of paperwork.

Penetration testing is sometimes mandated or expected from various regulatory bodies proving due diligence and compliance evidence supporting the Payment card Industry Data Security Standard Section 11.3, ISO/IEC 27001, FISMA Certification and Accreditation NIST SP 800-53A, etc.

Our consultants are familiar with the evolving methodologies available including the Open Web Application Security Project (OWASP), NIST SP 800-115, and the Open Source Security Testing Methodology Manual (OSTMM).

atsec is a mature and professional company, we are well aware of the potential risks for you arising from penetration testing activities and work with you to minimize these and operate within your parameters for testing. We are independent of third party vendor and service influences and are not tempted to recommend specific solutions due to an ongoing business relationship with any particular vendors.

For more information
For more information about this service, please contact us at info_cn@atsec.com.