Web Application Penetration Testing
This should be considered when a organisation exposes a web application containing sensitive data or connected with internal systems to untrusted users or networks. Even web applications on the local internal network of the organisation should be considered as a strong candidate for web application penetration testing if it contains customer data / Personally Identifiable Information (PII).
Web applications account for a large portion of breaches and 2023 – 2024 saw a 180% increase in the amount of incidents originating from exploitation of vulnerabilities, for which web applications make up a majority share (https://www.verizon.com/business/en-gb/resources/reports/dbir/2024/summary-of-findings/).
All organisations should be strongly considering Web Application Penetration Testing on a regular (quarterly / annual) basis depending on the criticality of the web application and the nature of the data it houses.
Oxford Systems follow the OWASP Top 10 methodology for identifying the most common and dangerous web application vulnerabilities. Our consultants are experts in Web Application security and have experience with development and secure code review.
External Infrastructure Penetration Testing
This service assesses the external perimeter of an organisation’s environment. This would be typically be against services being exposed to the internet such as mail servers, web servers or services being used for third-party integration. Unlike Web Application Penetration Testing which assesses at the application level, External focuses on service level vulnerabilities and misconfigurations.
An organisation should consider External Infrastructure Penetration Testing after any changes to the perimeter (such as exposing a new service) and on a periodic basis to detect new and emerging vulnerabilities.
Penetration testing helps identify weaknesses, improve security measures, ensure compliance, and reduce the risk of external threats.
Internal Infrastructure Penetration Testing
An assessment of your organisation’s internal network to identify vulnerabilities and misconfigurations. While the main objective is to locate security issues, our consultants will also try and escalate privileges during the test. This typically means starting with no account at all to try and reach the highest level of privilege in the environment. This approach helps to demonstrate impact to the organisation’s cyber security owners and allows our experts to uncover vulnerabilities at a much deeper level.
Internal Infrastrucutre Penetration Testing should ideally be conducted on a regular basis such as annually. Improving a large environment can take a great deal of time and so periodic testing helps to ensure that progress is steadily heading in the right direction.
Oxford Systems can perform configuration reviews on certain components of Internal Infrastructure such as Active Directory. This activity is more passive and might provide an alternative if you are concerned about disruption and want to start small.
Thick Client Penetration Testing
This service is designed to assess the security of desktop applications that connect both directly or indirectly to a database and process company data. Thick Clients are very commonly used in larger organisations and can often be overlooked in terms of security. In many cases, they can provide a direct route to access backend connected databases. Should this be the case, it leaves a low barrier of entry for an attacker to gain access to important data from where the Thick Client is installed.
Thick Client Penetration Testing will identify security considerations with the application which your organisation can use to remediate vulnerabilities. If remediation is not possible for any reason, we can provide guidence around risk management strategies to avoid potential compromise.
Understanding the risk around Thick Clients is not always straightforward, but we can help to advise you on what you can do to understand and manage the risk posed by these applications.