While automated scanning for technical flaws is generally one step in a security assessment and compliance with PCI and HIPAA requirements, a thorough assessment should not stop there. A system assessment requires greater depth and understanding of both the development of the software at the code level as well as the business risks associated with the identified vulnerabilities.
The application security industry is dominated by firms that rely heavily on automated tools to perform security assessments, the results of which are communicated in templated reports that capture only the most obvious vulnerabilities.
An assessment with both automated and manual testing should provide the information needed to move on to the next step remediation of the found vulnerabilities.
How Are Denim Group's Assessments Different?
Reports Are Only the First Step
Denim Group's assessment process augments automated testing with advisory services to provide an in-depth look at security vulnerabilities in software. The results of Denim Group's assessments are actionable and the remediation path is straight-forward.
Security Consultants are Practicing Software Developers
Denim Group's security consultants are trained and experienced developers with in-depth knowledge of the software development lifecycle and secure development strategies to develop, assess and remediate application source code.
You're Not Left Alone to Fix the Problem
Denim Group is committed to helping organizations develop their own internal competencies in application security through training and SDLC Advisory Services. As developers, Denim Group is equipped to team with clients to weigh risks and interpret the results of scans, and if needed, help with the remediation process.
Black Box Testing (or Dynamic Testing)
Black box testing (or dynamic testing) begins with automated scans, which can be valuable for getting a quick read of the security state of an application through a catalog of technical vulnerabilities. These scans, however, are not complete, and they do not identify where in the code the problem exists. Scans are followed by manual verification of found vulnerabilities and the identification of certain logical vulnerabilities.
Code Reviews (or Static Reviews)
Source code reviews (also called static reviews or white box testing) are based on direct observation of the code that will actually create the behavior. This allows for more insightful analysis and specific recommendations, which can range from the discovery of keyboard errors to specific process oriented recommendations. An assessment of software source code helps focus attention on where software is most vulnerable.
Penetration testing simulates a malicious attack in order to perform in-depth business logic testing and determine the feasibility and impact of an attack. The testing is performed internally and externally to the system.
Applications running on Apple iOS, Android, Blackberry and Windows Mobile environments bring a unique challenge to information security in that a single application may consist of web services, embedded browsers and native code components. Denim Group has assessed mobile applications for a variety of industries, including financial services and healthcare, and has conducted numerous assessments of custom mobile applications. Read more about mobile application security assessment services >>PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) mandates that organizations handling credit card information must build and maintain secure web applications. Now, organizations must focus on web application security in addition to network security and administrative controls. With PCI DSS 3.0, organizations must now document and demonstrate their approach for penetration testing and cover both the network and applications. Denim Group provides combined network and application penetration testing using a robust methodology. Our assessment services and source code reviews help organizations prepare for PCI assessments and provide a path to remediate code for compliance. Read more about PCI compliance >>
Contact us to begin your assessment.
Call (210) 572-4400 or email firstname.lastname@example.org.