Complex problems require more than one approach. Our integrated services blend multiple offerings to solve specific security issues.
Our team is comprised of some of the ﬁnest oﬀensive security professionals in the world. We break in and ﬁnd the vulnerabilities, so you can ﬁx them before they’re exploited.
Our success stories feature real-world security scenarios. You’ll discover varied approaches adopted by your peers in partnering with Bishop Fox, and how our application security services helped organizations, large and small, across an array of industries assess, identify, and minimize risks.
Security on Lock
The Internet of Things is a growing industry that presents opportunities for exploitation. When a product’s functionality requires the internet, security is key.
External Penetration Testing
Bishop Fox’s external penetration testing methodology identifies security vulnerabilities by simulating the real-world threat of an attacker attempting to exploit target networks and applications. These zero, partial, or full knowledge assessments begin with the discovery of externally identifiable systems and footprinting of designated networks and applications. Next, vulnerability scans are conducted using automated tools and the findings are manually verified. The team also enumerates the access control lists of firewalls and other perimeter security devices in order to pinpoint potential security exposures. Exposed applications are scanned and tested using a combination of automated tools and manual techniques. Finally, the team performs further manual identification and exploitation of any vulnerabilities in an attempt to penetrate the targets and gain access to sensitive data, critical functionality, and the underlying infrastructure.
Internal Penetration Testing
Bishop Fox’s internal penetration testing methodology identifies security vulnerabilities by simulating the threat of a malicious insider attempting to exploit designated target networks and applications. These zero, partial, or full knowledge assessments begin with the discovery of internally accessible systems and footprinting of designated networks and applications. Next, vulnerability scans are conducted with automated tools and the findings are manually verified. The team also enumerates Windows networks and perform password strength analyses to gauge adherence to password policy. Internal applications may optionally be scanned and tested using a combination of automated tools and manual techniques. Finally, the team performs further manual identification and exploitation of any vulnerabilities in an attempt to penetrate the targets and gain access to sensitive data, critical functionality, and the underlying infrastructure.
Product Security Review
Our product review methodology leverages cutting-edge fault injection techniques in combination with manual penetration testing to thoroughly identify security vulnerabilities. Each product review begins with automated testing using data injection and fuzzing tools. The results are then analyzed and followed by manual injection testing. In addition, the team performs controlled manual reviews of targeted application components to locate additional security issues. Finally, the team performs exploitation to confirm each finding.
Our third-party assessment methodology is designed to determine the maturity and effectiveness of an organization’s security practices. Our approach begins with initial interviews and documentation review to identify practices and activities the organization has implemented. Then, the Bishop Fox team gathers more detailed evidence of existing processes, procedures, and controls to determine the maturity level of the organization’s security practice areas. Finally, the team determines the effectiveness of each activity and practice area based on the maturity levels and the specifics of the existing activities.
The Bishop Fox risk assessment methodology takes an asset-focused approach by identifying business critical assets as well as important processes. The team reviews the operational and process programs in place within an organization in addition to conducting surveys and interviews with key stakeholders. With the gathered information, the team performs targeted threat and vulnerability assessments of all these assets and processes to determine the overall organizational exposure.
The risk assessment commences with an asset identification phase, including interviewing executive leaders, other key stakeholders, and review of available documentation with the aim of understanding the assets in scope and the business context for the scoped assessment. The asset identification phase is followed by a threat and vulnerability identification phase where applicable threat sources and vulnerabilities are identified for the asset scope. Next, the team conducts risk analysis phase to determine likelihood, impact, and risk, and develops recommendations for controls. At the conclusion of all analysis activities, the assessment team documents the results in both a detailed assessment report and a high-level executive summary.
Our red teaming methodology varies from traditional pentesting approaches. With red teaming, no vector is off limits. Red teaming can include physical security testing as well as network and application security or social engineering. The objective is to truly mimic how an actual attack from an outsider would unfold. It’s an in-depth and holistic emulation that can be customized to meet specific needs.