Application Security Assessment &
Penetration Testing
Enumerate vulnerabilities and possible exploits, discard false positives, attempt exploitation/escalation (with and without credentials). Remediation recommendations. (Learn More)
Flavors:
Code review to supplement and enhance penetration testing to allow more rapid enumeration of flaws and more thorough analysis. (Learn More)
Understand your application as a target, by analysis of attack surfaces and the threats that could impact them. (Learn More)
Your developers are busy building functionality, but are they thinking enough about and building security? Let us show you and them how insecure coding practices can lead to flaws that can be hacked, and how to write code to avoid them. (Learn More)
Your app is secure, it should be hosted securely, as well. Analysis of your cloud infrastructure to enumerate flaws and provide recommendations to harden your cloud (AWS, Azure, Google Cloud, Docker, …). (Learn More)
Get ready for your SOC 2. You have secured your app and its operating environment, now demonstrate it to clients and investors. Be ready for your attestation. (Learn More)
Assess the security of your IoT systems. Includes systems disign, device security, networking, data protection, risk assessment, and policies. (Request More Information)
#1
0
Delivering confidence in all aspects of information security through assessment and penetration testing
The Illumant team is continually discovering heretofore unknown vulnerabilities in systems, web applications, mobile apps, medical devices, IoT systems, etc. Our robust research practice helps keep our clients ahead of the hackers. Illumant's reports allow our clients to prioritized remediation activities.
Some of best pentesters are also great secure coding and software design instructors
Credentialed and/or non-credentialed vulnerability assessment and penetration testing of web-based and intranet applications.Testing covers injection (URL, SQL, LDAP, cookie etc.), authentication, session management, cross-site scripting, object/function access control, and more
The AppSA enumerates security flaws that could expose your data, your clients, to security breaches, and provides remediation recommendations through vulnerability assessment and penetration testing of live applications – with and/or without credentials.
Vulnerabilities targeted: logic flaws, injection (SQL, LDAP, URL …), session hijacking, XSS, CSRF, SSRF, encryption flaws, misconfigurations, vulnerable components, forged forward and redirects, and more
Testing provides comparisons of applications against OWASP Top 10 and other relevant application security standards.
The AppSA can be coupled with the CodeSA (code review) to expand the depth of the assessment, and to enhance recommendations.
The ThreatM identifies:
Applications are modeled as functional blocks, and a systematic process is used to enumerate and evaluate threats and impact.
Illumant leverages the STRIDE methodology and its variants, which look for the following threats to desired properties:
| Threat | Security Objective |
|---|---|
| Spoofing | Authenticity |
| Tampering | Integrity | Repudiation | Non-repudiability | Denial of Service | Availability | Elevation of Privilege | Authorization |
This approach provides a formal framework for embedding security in system design.
The CloudSA is a review of the configuration of cloud infrastructure to ensure maximal security.
In-depth, platform specific review of cloud-based application infrastructure and underlying components to assess compliance with security best-practices. In-depth, platform specific review of cloud-based application infrastructure and underlying components to assess compliance with security best-practices. Platforms include Amazon Web Service, Google Cloud Platform, Microsoft Azure, IBM BlueMix and more. This assessment looks at the security of the various components of cloud-based applications including identity and access management, virtual machines, virtual networking, virtual security appliances, data storage, databases, and virtual private clouds. Common target platforms include:
Comprehensive reviews of:
The CloudSA also targets container configuration and orchestration.
The CodeSA couples static code analysis and dynamic application testing to enhance the depth of analysis and improve efficiency of vulnerability identification, while preserving impact validation:
Adding code review to dynamic analysis:
Security vulnerabilities in web applications are the result of code defects – secure development education isn’t ubiquitous yet, so most developers haven’t received it when they learned to code. Even today, for many developers, security is an afterthought at best.
Developers frequently make the same security related coding errors repeatedly, so training them to avoid of even one insecure development practice will lead to greater security throughout an application.
Illumant's Secure Development training aims to teach developers about the threats to applications, common coding mistakes, and the fundamentals of secure application development to ensure future coding is planned and executed securely.
This training also includes an online lab where developers are able to compete to exploit insecure code and identify secure coding practices. A leaderboard will help users compare their times with their peers.
Prepares a service organization to obtain SOC 2/SOC 3 reports (aka SAS 70, SSAE 16, AT 101, WebTrust, SysTrust) by identifying gaps between existing controls, attestation standards and applicable trust principles, by designing and documenting controls, and by testing controls to ensure a successful audit.
Service Organization Control (SOC) reports are a closely related family of attestation reports that provide assurance to clients and client auditors that controls are in place to ensure security, integrity and confidentiality of client data. SOC reports are a critical tool for gaining and maintaining service customers by providing assurance that security and integrity of data are well protected while processed and handled by service organizations, in particular those with software-as-a-service (SAAS) products. Illumant helps its clients select the appropriate SOC report(s) and helps them obtain independent attestation, by designing and documenting controls, policies and procedures, by collecting evidence to demonstrate the operating effectiveness of those controls, and by communicating with auditors to ensure a smooth attest engagement.
Founded in 1999, Illumant has been at the forefront of Internet and information security since its inception. Illumant was one of the first companies to offer penetration testing and security assessment services to its clients, long before security was little more than an afterthought. Illumant was among the first companies to offer security compliance services as information security standards, laws and regulations started to emerge.
Illumant's founders graduated from Stanford University with degrees in Engineering and Physics in the earliest stages of the first Internet bubble, with the aim to address the vastly underserved information security arena. Illumant crafted services to help organizations identify security weaknesses in technical infrastructure and security posture to help head off threats before potentially costly security breaches.
Utilizing an arsenal of assessment services spanning internal and external, and technical and organizational perspectives, including:
Illumant has conducted thousands of assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Illumant has helped companies across all verticals including hospitals, research universities, cities, startups, fortune 500 ...
