Web and API Testing
We perform Web Application testing that includes any Application Programming Interfaces (APIs) working alongside the application. We also perform testing on standalone APIs. - Best results are achieved with Gray-Box testing (e.g. Provided accounts for the web application and API documentation).
External Testing
We simulate a threat actor sourced from the Internet. The assessment is completely black-box. - This test is best performed in conjunction with gray-box testing for best results.
Internal Testing
The test is performed from within the client's internal network. The client is required to provide access to their internal network. Either through a VPN connection, or a SSH tunnel to a machine located inside the internal network.
Segmentation Testing
Such testing validates whether the company has implemented proper segmentation between the cardholder data environment (CDE) and non-CDE environments, i.e. we check if there is connectivity between both environments. - For service providers, in the PCI DSS requirement 11.3.4.1, it is stated that segmentation tests should be performed at least every six months or after a significant change in segmentation.
Mobile Testing
Currently, we perform only Android application testing. We do plan to include iOS testing in the future.
Vulnerability Assessment
Automated vulnerability scanning performed by enterprise software. The results provide an overview of the security posture of all in-scope systems. - Manual testing is not performed.
Social Engineering
We simulate a real-world phishing campaign in an attempt to gather critical information (e.g. account credentials) from the client's employees. There is neither pass nor fail of such campaigns. Rather, an overview of the company's security awareness is presented.