Security Testing Methodology
ATTENTION: This document contains information from Astra IT, Inc. & Czar Securities Pvt. Ltd. that is confidential and privileged. The information isintended for private use of the client. By accepting this document you agree to keep the contents in confidence and not copy, disclose, or distributethis without written request to and written confirmation from Astra IT, Inc. & Czar Securities Pvt. Ltd. If you are not the intended recipient, be awarethat any disclosure, copying, or distribution of the contents of this document is prohibited.
Your plug & play cyber security suite.
www.getastra.com
Security Testing Methodology
8000+ Hours Saved ofDevelopers &CXOs
Resilient and Reliable Securitysolution for your application
75% Vulnerability FixingRate
27,000+VulnerabilitiesUncovered EveryMonth
1. Introduction1.1 About Astra Security1.2 Objective of Security Testing1.3 Astra Security's VAPT Framework
2. Security Audit Scope of Work (SOW)
3. Testing Methodologies3.1 For Websites / Web Applications3.2 For Mobile Applications (Android)3.3 For Mobile Applications (iOS)3.4 For API Security3.5 For AWS Cloud Infrastructure3.6 For Azure Cloud Infrastructure3.7 For Network Devices - Firewall/Routers/Printers
4. Security Testing Report & Video POCs
5. Methodology for Patching Vulnerabilities
6. Our Security Suite
7. Our VAPT Customers
8. Awards & Recognition
9. List of Top Security Issues Tested
10. Contact
SQL Injection
Malware
Bad Bots
Vulnerabilitiesin Code
Phishing &Social Hacks
Table of Contents
2
Vulnerabilitiesin App Code
API Testing
Cloud SecurityDiagnostics
Business LogicTesting
NetworkVAPT
1. Introduction
1.1 About Astra SecurityAstra Security makes cyber security super simple for online businesses. The companyoffers a security suite that comprises of security audit, firewall & malware scanner.
Every solution within our suite takes under five minutes to setup & offers a 10x betterexperience than their contemporaries. The suite is beautifully knit, offering ahomogenous experience that makes security delightful. Astra Security is a Techstarsbacked company, awarded by President of France & PM of India for its innovation incyber security.
The security testing focuses on evaluating the security of the web, mobile, networks, API,SaaS, blockchain & cloud applications by methodically validating & verifying theeffectiveness of security controls. The process involves an active analysis of anyapplication for any available weaknesses, technical flaws, or vulnerabilities.
Every vulnerability that is found will be present with an assessment of the impact, aproposal for a technical solution using our collaborative cloud dashboard.
Vulnerability Assessment & Penetration Testing thatcomes without a 100 emails, 250 Google searches &painstaking PDFs. Saves hundreds of hours of your &developer's time.
Security Testing Methodology 4
1.2 Objective of Security Testing
Vulnerability Assessment & Penetration Testing (VAPT)
Static & DynamicCode Analysis
Network DevicesConfiguration
Payment ManipulationTesting
Server Infra.Testing & DevOps
Business LogicTesting
VulnerabilityRemidiation Assistance
Birds Eye Viewwith VAPTDashboard
Testing per OWASPStandards & KnownCVEs
Security Testing Methodology 5
WebApplications
Mobile Apps(iOS/Android)
Cloud Infrastructure(AWS/Azure)
SaaSApplications
Website Themes& Plugins
BlockchainApplications
API Testing
1.3 Astra Security's VAPT FrameworkEvery VAPT (Vulnerability Assessment & Penetration Test) is tailored to application being tested.Apart from the standard security tests, massive stress is put on designing security tests tailoredto your application's work flow.
IOTApplications
NetworkDevices
Vulnerability Assessment and Penetration Testing (VAPT)Static & dynamic code analysisTechnical assistance in patching found security vulnerabilitiesCollaborative cloud dashboard for vulnerability reporting & managementAccess to our security tools/APIsConsultation on the best security practices for your application
2. Security Audit Scope of Work (SOW)
A detailed security audit's scope will be a tailored approach basis on the individualrequirements such as a number applications to be audited, types of application, desiredtype of security testing, our predefined number of tests for each type of application,security assessment tools, and more.
6
The security audit scope of work will include:
Astra’s Security Testing is based on the OWASP (Open Web Application Security Project)Testing Methodologies and the OWASP Testing Framework. During the audit we performover 1250+ ‘active’ tests that have been classified on the basis of type of vulnerabilitiesfound. Each active test is followed by hundreds of sub-tests.
Hacker style testing, powered by ourpowerful vulnerability management& collaboration dashboard.
Bachelors in Information Security from Northumbria University, SingaporeCEH - Certified Ethical HackerAdvanced Diploma in Information Security, MDI, SingaporeCyber Security Fundamentals from KasperskyPolicy Compliance Certification, Qualys
The security audit is the high-level description of the many ways organizations can test andassess their overall security posture.
Astra's team of security auditors maintain the ethical and professional approach for the testingand assessing your organization's security posture. Our professional auditors combine thewisdom, qualifications and skills acquired over the years doing thousands of security audits.You get nothing but the best experience throughout the engagement.
In addition, the auditors have both technical & communication skills to uncover all vulnerabilitieson your platform and collaborate with your development team to help them patch discoveredvulnerabilities in your application/network. Our team take prides in being developer friendly.
Our security auditors have wide education backgrounds & hold industry specific certifications(not limited to the list below):
Qualified & FriendlySecurity Team
Security Testing Methodology 7
Network & sourcecode testing
BlackboxTesting
WhiteboxTesting
GreyboxTesting
Security Testing Methodology 8
Vulnerability Management Areas
Websites / WebApplications
Mobile appassesment
PDA securityassessment
Mobile Apps(iOS/ Android)
APIanalysis
APIenumeration
Scope & rolestestingAPI Security
Cloud configurationreview of environment
Cloud Infra.(AWS/Azure)
Network and perimeterassessments
(Internal/External)
Server and networkpenetration testing
iDOR (Insecure DirectObject Reference)
Cloud securitydiagnostics
NetworkDevices
Network vulnerabilityassessment with a
data review
Reviewing networkstrengths againstcommon attacks
Network devicespenetration testing
Security assessment ofnetwork devices
Security Testing Methodology 9
3. Testing MethodologiesOur security testing approach and methodology is based on industry leading practices such asOWASP, OSSTMM, WASC, NIST etc.
Hybrid of Human &AutomatedVulnerability Testing.
3.1 For Websites/Web Applications
Phase Phase I Phase II Phase III Phase IV
Phase name Initiation Evaluation Discovery Reporting
Define scope oftesting for anapplicationDocument initialtestingrequirementsDevelop testing & scanningscheduleUnderstandimplementedfunctionalities inan applicationSampling ofbrowser-servertraffic flowFinalize testingdeliverablesformat
Perform staticcode analysis ofan application ServerInfrastructureTesting & DevOpsIdentify theloopholes in thebusiness logicDo authorizationchecks for useraccess (UAC)Schedule manual& automatedapplicationscanning usingown toolsList commercialand open sourcetools for securitytesting
Perform dynamicanalysis &penetration tests PaymentmanipulationtestingTest for knownCVEsTechnologyspecific attackvectors andpayloadsVerify findingsand remove falsepositivesCatalogue all theexposedvulnerabilitiesCollection ofevidence andVideo POCs
Determine easeof vulnerabilityexploitationProvide appvulnerabilitiesdetails on yourAstra VAPTDashboardProvidetechnicalsolution orrecommendations for fixes Independentquality reviewand FinalReportsubmissionsProvide VAPTCertificate forsecurity audit
Description
Outcome Testing results are periodically updated in Astra VAPT Dashboard
For more information, visit: https://www.getastra.com/website-vapt
Installation ofapk file inAndroid securitytesting devicesReconnaissance& threatmodelingAll appcomponents areidentified andknown to bedocumentedDefine overallscope of testingDocument initialtestingrequirementsDevelop testing scheduleSampling of testdata
Intercept theproxy to analyzethe incoming &outgoing packetsof the appPerform sourcecode analysisUnderstand thebasic businessfunctionality ofthe app to identifypossible entryand exit points ofinformationIdentifyapplication’s datastore (at rest, intransit or ondisplay) andsensitivity
Based on theobservations,formulate testcases and carryout the securitytesting for
Data storageand privacyCryptographyAuthentication & sessionmanagementEncryptednetworkcommunicationsPlatforminteractionCode qualityand buildsettings
Determine easeof vulnerabilityexploitationProvide appvulnerabilitiesdetails on yourAstra VAPTDashboardProvidetechnicalsolution orrecommendations for fixes Independentquality reviewand FinalReportsubmissionsProvide VAPTCertificate forsecurity audit
Security Testing Methodology 10
3.2 For Mobile Applications (Android)
Phase Phase I Phase II Phase III Phase IV
Phase name Initiation Evaluation Discovery Reporting
Description
Outcome Testing results are periodically updated in Astra VAPT Dashboard
Tools used for Android security testing: Network Proxy, MitmProxy, Quark, APKTool, Android Debug Bridge, MobSF, ZAP & more.
For more information, visit: https://www.getastra.com/mobile-app-vapt
Installation of ipafile in iOSsecurity testingdevicesReconnaissance& threat modelingAll appcomponents areidentified andknown to bedocumentedDefine overallscope of testingDocument initialtestingrequirementsDevelop testing scheduleSampling of testdata
Intercept theproxy to analyzethe packetscoming in andgoing out of theappPerform sourcecode analysisUnderstand thebasic businessfunctionality ofthe app to identifypossible entryand exit points ofinformationIdentifyapplication’s datastore (at rest, intransit or ondisplay) andsensitivity
Based on theobservations,formulate testcases and carryout the securitytesting for
Data storageand privacyCryptographyAuthentication & sessionmanagementEncryptednetworkcommunicationsPlatforminteractionCode qualityand buildsettings
Determine easeof vulnerabilityexploitationProvide appvulnerabilitiesdetails on yourAstra VAPTDashboardProvidetechnicalsolution orrecommendations for fixes Independentquality reviewand Final ReportsubmissionsProvide VAPTCertificate forsecurity audit
Security Testing Methodology 11
3.3 For Mobile Applications (iOS)
Phase Phase I Phase II Phase III Phase IV
Phase name Initiation Evaluation Discovery Reporting
Description
Outcome Testing results are periodically updated in Astra VAPT Dashboard
Tools used for iOS security testing: Network Proxy, MitmProxy, Quark, MobSF, ZAP, IMAS & more.
For more information, visit: https://www.getastra.com/mobile-app-vapt
Analyze the APIendpointsChecking type ofAuthenticationimplemented:
Basic HTTPauthenticationUser InputvalidationchecksAccess tokenCookies
Document initialtestingrequirementsDevelop testing scheduleSetup testingenvironment andprepare testingtools
Check if all theendpoints areprotected behind authentication to avoid brokenauthenticationprocessTest for APIInput FuzzingTest for Un-handled HTTPMethodsAnalyzing APIrequest andresponseTestingIntegrationendpoints
Test for followingvulnerabilities:
UnauthorizedAccessData leakageSanctioningFuzzy inputInjectionVulnerabilitiesParameterTampering,etc.
Data validationtestingAccesspermissionsIDOR (InsecureDirect ObjectReference)
Determine easeof vulnerabilityexploitationProvidevulnerabilitiesdetails on yourAstra VAPTDashboardProvidetechnicalsolution orrecommendations for fixes Independentquality reviewand final reportsubmissionsProvide VAPTCertificate forsecurity audit
Security Testing Methodology 12
3.4 For API Security
Phase name
Outcome Testing results are periodically updated in Astra VAPT Dashboard
Tools used for API security testing: Burp Suite, Proxy, SQLmap, Acunetix, DirBuster, Fuzzapi,Commix, REST API Clients & more.
Phase Phase I Phase II Phase III Phase IV
Initiation Evaluation Discovery Reporting
Description
API
For more information, visit: https://getastra.com/blog/knowledge-base/api-security-testing
Configurationreview of theenvironmentReviewingIdentity andAccessManagement(IAM) users,groups and rolesManaging theaccess controlon the cloudEC2, SNS, RDSSecurityconfigurationreviewReviewing otherAWS policies for:
S3 BucketSQS queueKMS keys
Based onevaluation startfinding openvulnerabilities &securityloopholes Runningvulnerabilityscanning withtools such asCloudSploitPerform serverand networkpenetrationtestingPerform 50+security testsRun cloudsecuritydiagnostics
Provide details ofvulnerabilities &misconfigurationson your AstraVAPT DashboardProvide technicalsolution orrecommendationsfor fixesIndependentquality review andfinal reportsubmissionsProvide VAPTCertificate forsecurity audit
Define scope oftesting for yourAWS integrationObtain rootaccess keysNetwork andperimeterassessments(Internal/External)Finalize testingdeliverablesformat
Security Testing Methodology 13
3.5 For AWS Cloud Infrastructure
Testing results are periodically updated in Astra VAPT Dashboard
Tools used for Cloud infrastructure testing for AWS: Prowler, CloudSploit, Cloudplaining, ScoutSuiteCloudJack, & more.
Phase name
Outcome
Phase Phase I Phase II Phase III Phase IV
Initiation Evaluation Discovery Reporting
Description
For more information, visit: https://getastra.com/blog/security-audit/aws-security-audit
Configurationreview of theenvironmentReviewing Identityand AccessManagement(IAM) users,groups and rolesManaging theaccess control onthe cloudStorage, VMs, SQLDatabase,Keyvault, & AppserviceenvironmentSecurityconfigurationreviewReviewing dataprotection &encryption
Define scope oftesting for yourAzure integrationObtain rootaccess keysNetwork andperimeterassessments(Internal/External)Finalize testingdeliverablesformat
Based onevaluation startfinding openvulnerabilities &security loopholesRunningvulnerabilityscanning withtoolsPerform serverand networkpenetrationtestingPerform 50+security testsRun cloud securitydiagnostics
Security Testing Methodology 14
3.6 For Azure Cloud Infrastructure
Phase name
Outcome Testing results are periodically updated in Astra VAPT Dashboard
Tools used for Cloud infrastructure testing for Azure: Azucar, CloudSploit, ScoutSuite, MicroBurst,cs-suite, & more.
Phase Phase I Phase II Phase III Phase IV
Initiation Evaluation Discovery Reporting
Description
Provide details ofvulnerabilities &misconfigurationson your AstraVAPT DashboardProvide technicalsolution orrecommendationsfor fixesIndependentquality review andfinal reportsubmissionsProvide VAPTCertificate forsecurity audit
Define scope oftesting fornetwork devicesDevelop testing scheduleidentify anydeficienciesthat put thecustomer at riskof a securitybreachUnderstandintegration ofthe device andtopology Sampling ofnetwork trafficFinalize testingdeliverablesformat
Check if all theendpoints ofdevices areprotected withauthenticationSecurity policies& architecturereviewDo authorizationchecks for useraccess (UAC)Network datareviewEvaluate thepolicies forremote access,etc.Reviewingnetworkstrengthsagainst commonattacks
Provide detailsof vulnerabilities&misconfigured/unpatchednetwork deviceson your AstraVAPTDashboardProvidetechnicalsolution orrecommendations for fixesIndependentquality reviewand final reportsubmissionsProvide VAPTCertificate forsecurity audit
Security Testing Methodology 15
3.7 For Network Devices - Firewall/Routers/Printers
Testing results are periodically updated in Astra VAPT Dashboard
Tools used for Network devices testing: Nmap, Wireshark, Nessus, Metasploit, burp, Sublist3r &more.
Perform riskAssessment toidentify threats,and analyze thecontrolenvironment todetermine whatrisks are andtheir potentialimpact.Vulnerabilityassessment fordevice process,application &functionPerformpenetrationtesting to findflaws in thevulnerabledevices
Phase name
Outcome
Phase Phase I Phase II Phase III Phase IV
Initiation Evaluation Discovery Reporting
Description
For more information, visit: https://getastra.com/blog/security-audit/it-security-audit
Details of vulnerabilityScreenshots & video PoCsSelenium scripts for your developers to help reproduce vulnerabilitiesThreat criticality with CVSS scoreBusiness impact & consequencesSteps to re-create the issueTailored steps to fix the vulnerability (Patching)Best Practices for future
Astra Security's proprietary vulnerability management platform is unlike anything you musthave ever seen. A birds eye view for CISOs helps ensure you're always on top of the status ofthe security audit. A detailed vulnerability report with video proof of concepts, selenium scripts& ability to collaborate with our security engineers within dashboard ensures vulnerabilities arefixed in a record time.
4. Security Testing Report & Video PoCs
Security Testing Methodology 16
Astra Security's vulnerabilitymanagement dashboardcomes with a birds eye viewfor management keeping youalways on the top of securityassessment status.
Video PoCs, selenium scripts& collaboration with securityteam enables yourdevelopers to fix thevulnerabilities in record time.With Astra Security, VAPTtakes 40% less time thanother solutions.
Build trust among yourcustomers & partners
with a security certificate
Security Testing Methodology 17
A secure application calls for some bragging. Afterour engineers verify you’ve fixed the uncoveredvulnerabilities, we issue a safe-to-host certificate.This helps inspire confidence among your customersand partners.
your-business.com
Detailed steps for patchingBest practices while developmentRound-the-clock technical assistanceVideo POCs of discovered vulnerabilities and security loopholesRe-audit to ensure the issue has been fixed
We have a strong emphasis on security patching post the audit. It is important to close the loopand make the application bulletproof from hackers.
We achieve this by providing:
After the security vulnerabilities have been satisfactorily resolved, a full re-scan is conducted toensure that there are no gaps. A certificate will be then issued to confirm the same.
Application specific security mechanismsCountermeasures for known attack techniquesFramework to monitor user actions on applicationMechanisms to tackle hackers
To ensure utmost security we believe in ‘Proactive Security’ measures where we anticipate theinfiltration techniques used by hackers and recommend additional security countermeasures.
We take security in our own hands and fortify the application:
5. Methodology forpatching vulnerabilities
Security Testing Methodology 18
Additional Security Mechanisms
Security Testing Methodology 19
6. Our Security Suite
that detects, stops & nutralizes 100+ threatsA Rock Solid Firewall neutralizes 100+ threats including bad bots, SQLi, LFI, RFI etc. Automaticdecision making & dozens of security features like country blocking, GDPRcookie consent, rate limiting, fake search engine bots detection & more.
Intelligent web application firewall & malware scannerProtects against 100+ types of attacksDaily automatic malware scansCommunity-drivenNo DNS changes requiredNo routing of traffic through our serversWe never become a single point of failureProtection tailored to technology stack
Security Testing Methodology 20
Launch in 4 minutes Leverage the security communityManaged by our security expertsSelf serves dashboardReward hackersBe known as a security conscious company
Create your own communitysecurity (Bug Bounty) program
For more information, visit here: https://www.getastra.com/community-security
Your business is vulnerable. There's always a new malware or hack floating around that youare not protected against.
With community security, ethical hackers guard your website, report vulnerabilities and earnrewards. You allow people to report any security weaknesses they find through a dedicatedchannel and strengthen your website before it's attacked—at no cost to your business.
21
8. Our VAPT CustomersTrusted by The Ones You Trust
Astra carried out a security audit on our digital applicationwhich is a solution that allows companies to manage theirwhistleblower system. Due to the sensitive nature of theinformation that is processed in the application, we wanted toidentify all possible security loopholes. I am very satisfied withthe result and the recommendations of the audit report. It wasan eye opener. We were able to optimize the security of the appto meet the expectations of our customers.
- Olivier Trupiano, CEO, Signalement (a whistleblowing platform in Europe)
& more...
8. Awards & Recognition
22
Astra Security was awardeda grant from the FrenchGovernment under theirFrench Tech Ticket program.We were awarded by theFrench president Mr.François Hollande himself.
Astra Security was awarded‘Best Cyber Security Startup’by the PM of India Mr.Narendra Modi at GlobalConference on CyberSecurity.
Astra Security is recognizedby NASSCOM as top 50emerging cyber securitycompanies & has beenawarded with the Emerge50 award.
Exploitability
Security Testing Methodology 23
9. List of Top Security IssuesTestedThe following table captures the top security issues found. The list is illustrative of thesecurity issues tested for. During actual security audit, under head head below thousands oftests are performed including tailored tests for your application.
Vulnerabilities Tested
Configuration and Deployment Misconfiguration
Application or Framework Specific Vulnerabilities
Business Logic Flaws
Shopping Cart & Payment Gateway Manipulation
Known Security Issues (CVEs)
Weak Identity Management
Broken Authentication
Improper Authorization
Broken Session Management
Weak Input Validation
Error Handling
SQL Injection
Weak or Broken Cryptography
Client Side Script Security
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Clickjacking
Unrestricted File Upload
Sensitive Data Exposure
Insufficient Attack Protection
Under-protected APIs
HTTP Security Header Information
Impact
Easy Moderate
Difficult Severe
Average High
Severe
Moderate
High
Severe
Severe
High
Easy Moderate
Moderate
Easy Severe
High
Easy Moderate
Moderate
Moderate
Easy Moderate
Severe
Severe
Easy Moderate
Moderate
Moderate
Difficult
Average
Average
Average
Average
Average
Difficult
Difficult
Average
Average
Average
Average
Difficult
Difficult
[email protected] www.getastra.com
Secure your businessfrom cyber threats usingAstra Security Suite.
How can we help you? Let's talk.
fb.com/getAstra
linkedin.com/company/getastra
@getastra
Schedule a Call
Making Security Simple for thousands of online businesses