Security Check 

We use web application pentests to identify security vulnerabilities in your web applications. Before we can start with web application penetration tests, we first set up the testing environment and clarify with you what exactly is to be tested.

Depending on what we have agreed on, we test your web applications for, among other things:

• Information Leakage:
  Is it possible for an attacker to gain access to sensitive data such as system configurations, user data or even company data without prior authorisation.
• Authentication Mechanism:
  Is it possible for an attacker to bypass login interfaces e.g. with bypass attacks and gain authorisations in the web application.
• Input Validation:
  Is it possible for an attacker to carry out server-side or client-side attacks e.g. with cross-site scripting or SQL injections due to lack of verification of input data..

At the end, we assess the identified security gaps and recommend countermeasures. These form the basis for any further measures.

Our mobile security experts use pentests to test various mobile applications on iPhones, iPads, Android smartphones and tablets. We also test your backend application environment and the communication between the device and the backend application environment.

5 steps to more mobile security

1. Identify common application vulnerabilities in the mobile applications. These include, for example, insecure data storage, insecure authentication or weaknesses in the communication channel used.
   
   
2. We analyse your mobile application from the perspective of regular application users with valid test accounts. In this context, we identify vulnerabilities in the application logic as well as horizontal and vertical privilege escalations.
   
   
3. We then analyse the backend services of your mobile application. In this section, we look specifically for security vulnerabilities in areas such as authentication, input validation, authorisation and session management as well as cryptography and message integrity.
   
   
4. You will receive a detailed report on the vulnerabilities identified, including suggested solutions for eliminating security gaps.
   
   
5. At the end, we support you in closing security gaps and check the effectiveness of the measures again.

1. We subject the API interfaces defined with you in the project scope (e.g. SOAP or REST) to a comprehensive security analysis at network and application level. Using the OWASP API Security Top 10, we check your API interface for known vulnerabilities and help you to protect your API from unauthorised access.
   
   
2. Our network-level tests include an automated vulnerability scan and a manual analysis of all network services provided by the API from the perspective of an external attacker. The application-level tests, on the other hand, are performed with a semi-manual approach and without valid user credentials.
   
   
3. As a result of our security checks, you will receive a detailed report containing a list of all identified vulnerabilities as well as specific, prioritised recommendations on how you can improve security.

Go through the requirements and objectives of the project and jointly determine which systems are to be checked and how.

Collect information about your IT infrastructures. This information is used in the next phase to carry out attacks. By interacting with the system, further information is collected to determine possible entry points into the systems.

In this phase, the previous results are used and the IT infrastructure is specifically attacked in order to gain access to the systems. The aim is to identify, combine and assess the vulnerabilities in the IT infrastructure components. The analyses are carried out manually to find vulnerabilities that require in-depth IT security knowledge.

Parallel to the pentest, the results are recorded and analysed. The documentation includes a list of the weak points and their evaluation as well as recommendations for action.

After the pentest and the elimination of the errors, a follow-up check can take place. We check whether the vulnerabilities still exist or have been correctly rectified.

It is advisable to identify threats from stolen login data, e.g. who is targeting your company, your brand or certain employees. The preferred tactics of hackers should also be identified.

Continuously analysing this data provides an overview of the tools used, the attackers and their motives. The information gained can in turn be used for the company's security strategy.

Stolen login data poses a significant risk that many SMEs are not aware of. Many users still use the same passwords to log in to different platforms. Hackers take advantage of credential stuffing with the help of repeated login data and gain access to websites and sensitive data. These login details are also sold on the dark web. Anyone who believes they are not affected by this trade has probably not yet looked for it.

The purchase of login data is usually used for fraud. This can include trading in credit card data, counterfeit branded goods or use for phishing campaigns. Phishing kits look deceptively like the original websites and can block certain IP addresses of well-known security companies - so that security warnings are not even received. Fraud tactics can also change and adapt over time.

Identifying fraudulent websites, products or activities early - whether on the dark or open web - can therefore make a significant contribution to data security.