north provides penetration testing services for a large Australian government client. The client operates a complex ICT environment with a large annual ICT budget.
The client requires ongoing penetration testing to identify vulnerabilities and provide remediation advice across targets including custom built applications, supporting infrastructure, and vendor solutions. These targets encompass a broad variety of technologies including Angular, NodeJS, Java, alongside products from SAP, Redhat, IBM and Microsoft.
north has worked with the client over a long period to refine the approach to penetration testing to achieve the optimum balance of effectiveness and efficiency to maximise the value of the penetration testing program. north takes a lead role in the operation of the program, working to continually improve the approach, techniques and outcomes used to deliver maximum value to the client. north works with stakeholders, including other service providers, to ensure the client’s needs are prioritised and business goals supported accordingly.
The Penetration tests were conducted over three phases:
Scoping: determining the scope of a test and conducting high level threat modelling to determine the best threats and attacks to simulate.
Planning: completing the preparation required to conduct the test. Gathering accounts, target hosts and IP addresses, reviewing design documentation and refining and validating the threat models created previously.
Delivery: completing the test applying both manual and automated techniques with tools including Burpsuite, Kali, Nessus, bespoke tools, and the department’s enterprise grade toolset to identify known and unknown (Zero Day) vulnerabilities in target applications, frameworks and infrastructure. Results are reported as they are identified, documenting, communicating and explaining vulnerabilities to affected teams to ensure that effective remediation is completed.
north provided assurance to the client as to the technical security posture of the various systems and infrastructure under review.
- Identification of systemic weaknesses within software development and service operations teams
- Significant improvement in the client’s security posture
- Identification and remediation of Zero Day vulnerabilities in Vendor products This provided the client with detailed information around potential security weaknesses, options for mitigating specific risks and information to be fed back to development teams to continuously improve the security of the wider environment over time.