Security Testing Guide
Setup Plan with Time and Costs
ScienceSoft has been providing cybersecurity services since 2003.
Security Testing: Essence
Security testing is aimed to detect and analyze security vulnerabilities in software, IT infrastructure, security policies (including access control, communication, incident response, disaster recovery policies etc.) and procedures (user authentication, sensitive data encryption and disposal, etc.).
Depending on a company’s specific needs, ScienceSoft’s security testing professionals carry out vulnerability assessment, penetration testing, security code review, compliance testing or security audit. Regular security testing is the best practice for a company to ensure compliance with cybersecurity regulations and enhance its IT security posture.
With many industry- and company-specific considerations, a cybersecurity testing setup plan asks for a case-by-case approach. Below are the typical steps we at ScienceSoft follow in our security testing projects.
1. Security testing planning
Duration: up to 2-3 weeks.
- Assigning a security testing manager to plan and oversee the security testing project.
- Defining the scope of cybersecurity testing: the targets (networks, applications, servers, security software, physical security); the testing types and timeframe. ScienceSoft’s experts plan one or several of the following security testing types:
Automated extensive identification, analysis and prioritization of software and IT infrastructure vulnerabilities.
Detection and in-depth exploration of software and IT infrastructure vulnerabilities and their impact on the company. Simulation of life-like cyberattacks.
Security code review
Analyzing application source code to detect security flaws, such as encryption errors, buffer overflow, XSS and SQL injection vulnerabilities.
Checking if a company’s information security policies as well as the security controls in software and IT infrastructure meet regulatory standards (PCI DSS, HIPAA, GLBA, GDPR etc.)
A full-scale assessment of a company’s cyber defense. IT infrastructure and software security tests along with evaluating the information security policies, security awareness of the staff, physical hardware access.
ScienceSoft’s tip: A company should plan at least 1 penetration test per year and 1 vulnerability assessment per quarter. Ideally, a security test should follow any major change in software and/or IT infrastructure.
- Estimating the budget of the security testing project.
- Designing the data handling policy: collecting, storing, sharing, and deleting test data.
- Planning a mitigation strategy for possible risks related to the IT infrastracture and software security testing (e.g., unintentional data exposure, server or network outages, productivity loss).
- Optimizing the plan to ensure against redundant efforts and expenses.
2. Security testing preparation
Duration: up to 8 weeks.
- Gathering a team of security professionals with relevant testing skills and experience in similar security testing projects.
- Deciding on the security testing approach and techniques: e.g., internal or external, black box, gray box or white box testing, destructive (SQL injections, DDoS attacks, buffer overflow, application level floods, brute-force attacks, etc.) or non-destructive (network mapping, OS fingerprinting, social engineering, network sniffing, vulnerability scanning) techniques.
- Selecting appropriate open-source or/and commercial security testing tools:
Host-based, network-based, wireless, application, database scanners.
Network protocol analyzers, network mapping, password recovery tools, fuzzer, web crawler,dynamic application security testing (DAST), etc.
Security code review
Static application security testing (SAST).
Sensitive data finders, automated evidence collection tools, compliance scanners.
Computer-aided audit tools (CAAT).
- Deciding if test environment is needed. This can be a reasonable solution if the security testing team applies intrusive techniques that may damage production environment or disrupt critical business activities.
- Obtaining the required access to the target assets and data for security test execution.
3. Security testing launch and execution
Security testing launch and execution will differ depending on the testing scope and, consequently, on the testing type:
Duration: 1-2 weeks
- Running automated scans on the target software, networks or devices to identify existing vulnerabilities.
- Manual review of scanning results to eliminate false positives.
- Analyzing detected vulnerabilities and their causes, evaluating their severity.
- Reporting on the results with recommendations on how to fix the vulnerabilities.
Duration: 1-3 weeks
- Vulnerability scanning: identifying exploitable vulnerabilities.
- Vulnerability exploitation: simulation of true-to-life attacks.
- Analyzing the exploited vulnerabilities and their impact on compromised software and IT infrastructure, as well as on the company’s business in general.
- Reporting and remediation guidance.
Security code review
Duration: 1-8 weeks
- Automated scanning of the application source code.
- Manual review.
- Analyzing detected vulnerabilities.
- Reporting on the findings and recommendations on enhancing application security.
Duration: up to 10 weeks
- Running vulnerability scanners, reviewing application source code using penetration testing techniques to find security flaws in software and IT infrastructure.
- Defining deviations from industry regulatory standards and advising on their mitigation.
- Report on Compliance and/or Attestation of Compliance.
Duration: up to 14 weeks
- Analyzing security policies and procedures.
- Interviewing employees to assess their security awareness.
- Incorporating vulnerability assessment, penetration testing, code review and compliance testing, depending on the audit scope.
- Examining physical access to hardware.
- A report with detailed description and analysis of all findings as well as recommendations how to fix revealed security gaps.
ScienceSoft’s tip: Choosing a provider to take over the security testing process in your company, you may be guided by:
With 19 years in cybersecurity services and over 200 implemented security testing and consulting projects, ScienceSoft offers both end-to-end security testing and expert advice for an in-house security team.
Security testing consulting
- Analyzing your company’s IT security policies and infrastructure.
- Advising on the testing scope (the targets and testing types).
- Security testing cost calculation.
- Developing the security testing strategy and plan.
Security testing outsourcing
- An optimal strategy for your security testing needs and scope.
- Vulnerability assessment, pentesting, compliance testing and security audit, depending on your goals and needs.
- Description and prioritization of the existing vulnerabilities.
- Remediation recommendations.
Our Customers Say:
When I reached out ScienceSoft, they were immediately responsive to my inquiry, they provided a very competitive quote quickly, and they were able to schedule the testing shortly after our acceptance of the quote. ScienceSoft’s security testing team performed exceptionally well and gave us confidence that our application posed no serious vulnerabilities. Cooperating with ScienceSoft was a terrific experience, and we will definitely consider them for our future security testing needs.
Ed Gordon, VP Products, 5 Dynamics (Simpli5)
- 19 years in cybersecurity.
- An IBM Business Partner in Security Operations & Response since 2003.
- Certified Ethical Hackers on board.
- Experience in development of custom scripts and exploits.
- Successfully completed security testing projects in healthcare, manufacturing, finance, telecom, etc.
- Quality management and customers’ data security granted by ISO 9001 and ISO 27001 certificates.
Security Testing by ScienceSoft: Success Stories
IT Infrastructure Security Testing for an Asian Retail Bank
ScienceSoft performed vulnerability assessment and pentesting of the network’s external perimeter and internal environment, security risk assessment of the client digital channels, and simulated social engineering attacks at the employees’ emails to check their susceptibility to phishing.
Cloud Application Code Review and Pentesting for an Award-Winning IT Company
As a result of automated and manual pentesting and source code review of a cloud-based application for tax returns, ScienceSoft advised on remediation of the detected vulnerabilities to ensure a high protection level of the app before its release.
Network Vulnerability Assessment for a US Mobile Services Provider
ScienceSoft carried out vulnerability assessment of critical internal infrastructure objects of the Customer’s network, as a preliminary procedure before PCI DSS validation.
Penetration Testing of Mobile IoT Apps and Smart Security Cameras
ScienceSoft performed black box and gray box pentesting of iOS and Android IoT apps and two smart security cameras to pinpoint possible vulnerabilities and confirm that data exchange is performed with specific AWS servers only.
Comprehensive Quality Assessment of a Patient Portal for a US Healthcare Service Provider
To ensure that the patient portal complies with HIPAA Security Rule, ScienceSoft conducted vulnerability scanning, malware detection, penetration testing, and source code review.
Network Penetration Testing for a US Law Firm
ScienceSoft conducted network pentesting for a law firm and advised on how to fix multiple existing vulnerabilities to enhance the network security status.
The composition of a cybersecurity testing team varies in each project and is tailored according to specific testing scope and requirements. Here is a list of ScienceSoft’s experts who may be involved in different types of security testing.
Security testing manager
- Plans a security testing project depending on the negotiated scope.
- Manages security testing process and the team.
- Supervises security testing execution.
- Communicates with the customer to coordinate a security testing project.
- Runs vulnerability scans on applications, networks and devices to identify vulnerabilities.
- Performs a manual review of the findings to exclude false positives.
- Evaluates the severity of discovered vulnerabilities.
- Analyzes the root causes of the vulnerabilities.
- Reports on the findings and advises on remediation steps.
Penetration test engineer
- Locates and explores exploitable vulnerabilities.
- Identifies entry points and methods hackers can use.
- Develops penetration scripts and tests.
- Simulates hackers’ attacks on applications, networks or devices.
- Evaluates the impact of detected security breaches on the business.
- Provides recommendations on security risks mitigation.
Security code review analyst
- Performs a manual analysis of application source code.
- Selects or develops automation tools for code review.
- Identifies vulnerabilities in the code.
- Recommends remediation actions.
IT compliance specialist
- Reviews a company’s IT security policies and procedures, evaluating their compliance with regulatory standards.
- Investigates if all mandatory software, network, and hardware security controls are in place and meet regulatory requirements.
- Documents cybersecurity compliance deviations.
- Offers mitigation guidance.
- Collaborates on compliance documentation.
IT security auditor
- Reviews a company’s security policies and procedures.
- Verifies employees’ security awareness.
- Performs security assessment of software and IT infrastructure.
- Evaluates the effectiveness of security controls.
- Detects gaps in security architecture and procedures.
- Provides a comprehensive report of the audit and a security risk management plan.
Security testing management and implementation are in-house
- Minimizing the risk of sensitive data leaks.
- Security testers with a good understanding of their company’s processes and IT environment.
- Limited security testing skills and experience.
- “Inside-the-box” thinking due to the familiarity of the IT environment that can be fraught with missing certain vulnerabilities.
- The need to update security testing toolkit and hold training for the testers.
- Salaries and maintenance cost.
Security testing management and implementation are completely outsourced
- Solid experience and best practices: a wide choice of advanced cybersecurity testing technologies and skills.
- Cost effectiveness and reduced TCO.
- The vendor takes over planning, preparation and implementation of security testing project.
- An independent expert view: impartial insights into your company’s security policy and infrastructure.
- Exposing your IT infrastructure to a third party may be risky, unless you deal with a reliable vendor.
- The security testing team needs time to get familiar with the specifics of your software and/or IT environment.
Security testing management is in-house; the test team is completely or partially external
- Flexibility: scaling up and down, depending on the testing needs.
- Control: the internal security testing manager overviewing the testing process.
- It may be difficult to find a well-versed expert able to design security testing strategy, ensure smooth cooperation and monitoring.
Benefits of Security Testing by ScienceSoft
Guard off the latest cybersecurity threats
We stay tuned for the newest vulnerabilities and hacking techniques, as well as for the most advanced practices to address them.
Optimize vulnerability remediation
We prioritize detected security gaps, advise on efficient corrective measures and are ready to fix existing vulnerabilities in your software and IT infrastructure.
Stay compliant with industry-specific regulatory security standards
Our security testing engineers team up with compliance consultants to evaluate your compliance with HIPAA, PCI DSS, GDPR, and other standards and regulations and competently advise on fixing incompliances.
Tools ScienceSoft Uses to Assess the Security of Software and IT Infrastructure
Having the hands-on experience with multiple security testing tools, ScienceSofts experts competently choose an optimal toolset for each project to get quick and accurate results.
Cybersecurity testing costs vary across different projects, depending on the scope of testing required for a particular company.
General cost factors include:
- Security testing targets: number of IPs, servers, networks, applications to be tested, employees to be interviewed etc.
- The complexity of IT environment: network organization, application architecture etc.
- The testing types and techniques: vulnerability scanning , black or white box testing, security code review, social engineering etc.
For in-house security testing
- The size of the security testing team (salaries and benefit packages, additional trainings).
- Creating and maintaining working environment for the security testing unit.
- Toolkit maintenance (license fees).
For outsourced security testing
- The size of security testing team and the qualifications of security testing professionals.
- One-time or long-term cooperation (a vendor may be willing to reduce the costs for subsequent IT security assessments).
Sample Security Testing Projects with Costs
Description: Social engineering testing and gray-box penetration testing of customer-facing software (a web and a mobile application) and its external APIs.
Estimated cost: $15,000+
Description: Black-box network vulnerability assessment of up to 200 IPs aiming to evaluate HIPAA compliance.
Estimated cost: $5,000+
ScienceSoft is a global provider of cybersecurity services headquartered in McKinney, Texas, US. With Certified Ethical Hackers on board, ScienceSoft’s security testing team offers their expertise to help our customers enhance their IT security posture and maintain their compliance with regulatory standards. Customer information security is ensured by ISO 27001 certification.