Advanced White-box

​​​​​​​​​Advanced White-box

Advanced white-box is a product combining penetration testing and secure code review or other assessment services. The advanced white-box comprehensively examines the security of applications under development by simulating hacker attacks, making use of automated code analysis, manual code reviews and audits.


 


Our story

One of our foremost clients asked us to penetration test a newly developed mobile app that manages users’ financial information. Because the application was developed by a supplier company, in addition to verifying security, the client also asked us to verify that the application met the criteria specified in the design.
When analysing the source code, in conjunction with penetration testing, we discovered several very serious authentication and authorization vulnerabilities that could give an attacker access to all the product users’ financial and profile information. This very sensitive data could have been used by hackers, for example, during phishing campaigns targeting users or directly when attacking the institution. If this situation had happened during real-time operation, the company would have run the risk of major financial losses, the associated loss of its client base and considerable damage to its reputation. However, because the penetration tests were carried out before the application was put out for real-life operation, this serious incident was avoided. 
What’s more, the analysis of the design and the real state of the application pointed out some deviations from the agreed requirements, for instance, in the area of working with user documents, which is subject to the GDPR, which the supplier had not adequately secured in the application. The client was therefore able to negotiate a fast, free fix within the contract and thus increase its mobile app’s level of security.

​​Brief Description

Advanced White-box involves:

Penetration Testing

Penetration testing is a simulation of hacker attacks at the network and application level to test the ability of an organization’s systems to withstand real cyber-attacks from the external environment, but also its ability to withstand unauthorized interference by employees, regardless of whether they act knowingly or simply make a mistake.

​Secure Code Review 

This consists of checking the source code of applications. It takes the form of manual source code reviews and automated analyses using SAST tools. ​​​

Detailed Description

Penetration testing

  • ​It simulates hacker attacks on applications, systems and entire infrastructures.
  • It uses globally recognized methodologies such as the OWASP Web Security Testing Guide (WSTG) or Penetration Testing Standard (PTES).
  • Penetration testing is done by certified penetration testers in line with required standards.
  • It involves manual tests to scan your security combined with advanced commercial automated scanning tools, as well as custom tools from the AEC toolkit portfolio.
  • Penetration testing detects vulnerabilities, configuration flaws or reveals undersized system elements at all layers of the application or system under test.
  •  

Code Review

  • A review of applications in many popular languages (Java, C#, PHP, ...).
  • An internal methodology based on experience from security development and penetration testing, based on the recognized standards of the OWASP project.
  • Reveals development errors, backdoors, design flaws, non-compliance with best practices, use of weak cryptography and many other vulnerabilities in the application.
  • The code review consists of two main analysis parts:
    • An automated review of the entire code using open-source and proprietary tools and a review of the results by a security specialist.
    • A manual review of the entire code or its subparts as chosen by the client or a security specialist.
  • The vulnerabilities uncovered are described in detail and tailored recommendations are provided that take into account the technology stack used.


Our advantages

  • ​We are a successfully established Czech security company that has been on the market for over 30 years.
  • We listen to our clients and adapt our tests to their needs and time constraints.
  • Our team is made up of specialists with a wealth of experience in development and ethical hacking.
  • We follow the latest trends in social engineering.
  • We combine penetration testing, automated source code analysis, manual reviews and audits to uncover a wide range of vulnerabilities.
  • The resulting reports from the tests we conduct contain detailed descriptions of the vulnerabilities found and specific recommendations to fix them that are tailored to the technologies used.
  • We build our services on many years of experience and time-tested standards.

​References

In this field we have lots of experience with project implementation for important companies in their branches. We will be happy to provide more references upon request.​

Contact us​


Check: