Simple. Serverless. Secure. uniFLOW Online
Cloud-based Secure Printing, Scanning and Accounting uniFLOW Online
Secure Cloud Printing and Scanning for Business uniFLOW Online
Control Access. Control Cost. uniFLOW Online Express

PEN Testing Methodology

The following information sets out NT-ware’s process and methodology as a basic standard for any security and PEN testing organizations we engage to test our product. Any external testing organization must follow privacy, security and confidentiality agreements.

Security controls

To maximize coverage and ensure that we detect all high-risk vulnerabilities, our testing process includes the following security controls:

  • Authentication: defines a set of requirements for generating and handling account credentials safely.
  • Access Control: defines how an application can safely enforce access control. In most applications, access control must be performed in multiple different locations across various application layers.
  • Session Management: defines a set of requirements for safely using HTTP requests, responses, sessions, cookies, headers, and logging to manage sessions correctly.
  • Configuration Management: verifies that a system performs as intended. This includes defaults, common paths, configuration, backups, and known vulnerabilities/security patches.
  • Cryptography: The Encryption Verification Requirements set out criteria to verify an application’s encryption, key management, random number, and hashing operations which must be used.
  • Data protection - at rest/ in transit: defines a set of measures to protect sensitive data e.g. personally identifiable information.
  • Input Validation: measures to validate input to ensure it is safe for use within an application.
  • Output Encoding: Escaping Validation Requirements which guarantee that output is properly encoded so that it is safe for external applications.
  • Error Handling and logging: defines requirements that can be used to check tracking of security-relevant events and identification of attack behavior.

Security assessment process

Security assessments follow key stages but, as project requirements and tests are unique to each project, the penetration testing process is invariably adjusted to fit the project’s needs.

Information gathering

  • The penetration tester will gather all available information about the test subject focusing on both the target’s technical details and on publicly available information regarding the owner of the application in question. NT-ware Operations and NT-ware Development are working closely with the commissioned PEN testing company to provide a detailed view of the features and product prior to each test; this is known as Gray-Box testing.

Planning and analysis

  • Once technical and public information has been collated the tester begins the attack planning, from the overall approach of the penetration test to identifying which targets require further research.

Vulnerability detection

  • Identifying the configuration and setting variables
  • Identifying pattern matching, lexical analysis, parsing
  • Data flow analysis
  • Generating attack vectors
  • Identifying functions to attack

Vulnerability exploitation

  • Generating attack code
  • Executing the attacks
  • Further analysis of the exploit to escalate privileges
  • Creating a usable Proof of Concept / real-world example
  • Documenting the attacks

Reporting stage

  • Documenting the methodology
  • Analysis of the findings
  • Risk assessment
  • Generating the report
  • Internal peer review

Report development stage

  • Report planning
  • Information collection
  • Writing the first draft
  • Review and finalization

Risk calculation
Our risk rating is based on the OWASP risk rating methodology. The likelihood and impact of findings are categorized as LOW, MEDIUM or HIGH on a scale of 0 to 9. These metrics are then calculated to provide an overall severity rating.