Our services in a nutshell Web and Mobile Application Security Assessment. Network Penetration Testing. Configuration Review and Server Hardening. Policy and Procedure review. Gap Analysis and Risk Assessment. Business Impact Analysis. ISO 27001 Implementation. PCI DSS Consulting. PA DSS Consulting. Network Architecture Review. Managed Security Services.

At DEFENSEROOT we are committed to providing the best possible service and advice to all our customers. You will be able to speak to a member of our experienced team who will understand your business and the risk that you face everyday where we will develop a deep understanding of the requirement of your organization. And finally, a solution that fits your budget.


Services We Offer

1. Managed Security Services

Device

Threats are growing more hostile. Budgets are tight. Skills are at a premium. And business imperatives like mobility, social media, web applications and big data can pose risks as well as inefficiencies if they're not properly managed.

Managed security services (MSS) is a dedicated approach towards managing an organization's security needs by simply outsourcing the responsibility to us. While you focus on your business and invest your valuable time towards generating more revenue, we invest our time towards securing your organization using our specialized expertise.

In an annual Managed Security Services project, our consultants would take care of the changing nature of the security landscape and your business requirements. Our consultants would perform :

  1. Web and Mobile application Security assessments
  2. Server Hardening (Windows & Linux)
  3. Network Penetration Test and Architecture reviews
  4. Configuration review (Firewalls, routers & switches)
  5. IT Audits and Security Awareness Training
  6. WLAN assessments
  7. Assistance for evaluating Security Product
  8. Process Improvement
This is the most recommended and #willfitinbudget type of service to secure your organization from internal as well as external hackers.


2. SECURE SDLC (Software Development Lifecycle):

Device

In the cutting edge of competitiveness, businesses are in the race of launching their product FIRST in the market. In this race to be the first, application architects and developers are focused on developing the application functionality and management is happy because the functionality serves the business needs. Hence, the application development is more aligned to the functionality and security-need of these applications have come down in the priority list.

So, while you would focus on business, we would be working closely with your DevOps team and embed security in all the phases of the Software Development Life cycle. This would involve including security requirements right from the Requirements gathering stage, threat modelling alongwith the Design phase, doing a Secure code review in the Development phase followed by penetration testing assessments in the Testing phase. Furthermore, we would also ensure Secure configuration of Frameworks and components in use and a secure configuration of the servers during deployment.


3. Application Security Testing:

Device

In this type of penetration test, we assess the security of the application by focusing on remotely exploitable vulnerabilities as per OWASP Top 10 and WASC guidelines and application architecture design review. We also assess the controls with respect to privilege escalation, malicious file uploads and other XML attacks. This helps to understand the total threat profile of your web application environment.

Apart from testing for industry standard test cases, we specialise in executing Business Logic Attacks which would be unique to each functionality of the application. Our team doesn’t rate the Risk Severity blindly but only as per the applicability of the vulnerability in business context of your organization.

We specialize in assessing Web applications, Thick client applications, web services testing, PA-DSS compliant applications, SaaS applications.


4. Mobile Application Security:

Device

With the recent paradigm shift of all internet applications going on the mobile platform, this area has become very important for any business and so for the Hackers as well.

With our robust mobile application assessment approach, we help you maximise the business surface and minimise the attack surface of your application on this platform.

Our Mobile application assessment covers all mobile based operating systems including Android, ios, windows, blackberry, symbian and newer platforms like Tizen, sailfish and mozilla.


5. Application Source Code Review:

Device

Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places.

This helps to identify whether the developers have misconfigured any application configuration parameters, whether confidential data is stored in code, whether input parameters are validated, comments are sanitized, etc. If done post – development phase, this would help in reducing the cost and time involved due to repetitive vulnerability assessment of the application.


6. Network Penetration Testing:

Device

This type of a penetration test involves identifying the targets through Google searches, WHOIS, DNS queries and reverse look-ups. We perform OS Fingerprinting and banner grab for identifying known vulnerabilities. The exploitation of these vulnerabilities depends on whether it is part of the engagement or not.

We follow a responsible disclosure and non-destructive exploitation approach. Limited exploitation is always done in terms of password guessing, service exploitation. This would help you in identifying the Network Security posture of your organization.



7. Configuration Review:

Device

Most of the network devices are configured in a way to run the business without taking care of the security. Configuration review would help you in identifying the gaps on network devices such as routers, switches, firewalls, WLAN Controllers and load balancers or any other technology implemented on the network and securely configuring them to prevent an external attacker to traverse through the network.



8. Voice Over IP (VoIP) Penetration Testing:

Device

Although VoIP technology corresponds to current business needs, it may introduce additional risks such as call tracking, call data manipulation, listening or unauthorized wiretapping of phone calls.

Our testing includes assessing the VoIP infrastructure, evaluating the different VoIP components from a security perspective and their capability to maintain the confidentiality, integrity and availability of the voice traffic. Our testing generally includes investigating the authentication mechanisms, as well as the potential interception, interruption or manipulation of the exchanged information between the client and VoIP servers.



9. Infrastructure Hardening:

Device

Infrastructure hardening is the process of tuning all the network devices and servers to increase security and help prevent unauthorized access. We will ensure that the hardening standards are in place and in line with industry benchmarks, and that your servers are patched and configured to comply with these standards. We have a rich experience in hardening all flavours of Linux versions, Windows servers and Database servers.

Apart from hardening of the servers, we can help you in hardening the network devices which includes but is not limited to firewalls, routers, switches, load balancers, web gateways, spam filters. This would ensure that your network devices are secure and are proudly playing their role without any security misconfiguration, thereby, reducing the internal attacks too.



10. Network Architecture Review:

Device

Advisors at Defenseroot Consulting can assesses an organization’s overall network design from a security perspective, including DMZ placement, network segmentation, external presence, and hardening techniques.

Our design reviews are performed in accordance to Zero Trust Model approach and can be based on the requirements of an internal business policy regarding network design. Existing network diagrams and documentation would be reviewed and network engineers, administrators and network architects would be interviewed to confirm documentation.




11. Wireless Penetration Testing:

Device

Wireless networks are an extension of your organization’s infrastructure perimeter and should be tested thoroughly. An insecure wireless network opens up your organization’s doors to the external world and poses a security risk.

Rogue access points, installed by employees on the infrastructure, which do not follow the organization’s security guidelines, can also be used to compromise your organization. Defenseroot Consulting conducts a mix of black box and white box testing. We start by completing a site survey, where we use high powered wireless equipment to locate access points.

Thereafter, we simulate multiple real-world hacking scenarios to break into the wireless network and then verify whether the internal segmentation and access controls are adequately implemented to ensure that a guest user connecting to a wireless network cannot connect to an internal wired LAN.