Security tests constitute one of the methods of verifying the effectiveness of solutions aimed at protecting information and organisations against threats. The tests focus on identifying security issues in the applications or infrastructure that are being tested and on trying to use the identified vulnerabilities to gain unauthorised access to badly protected information or to remotely take over control over the organisation's systems. The tests may cover web applications, mobile applications, dedicated application solutions, server infrastructure and virtual infrastructure or network devices (LAN/WLAN) and mobile devices.
The approach to the performance of works depends on the Client's expectations and may be based on the so-called black-box methodology, which assumes that the testing team has minimum knowledge of the tested system; white-box methodology, which assumes access to the source code of the tested system and to its documentation; grey-box methodology, which assumes limited access to knowledge about the tested solution (e.g. access only to its documentation or to fragments of the source code in order to verify the occurrence of vulnerabilities). The aim of the tests may be to identify as many security vulnerabilities existing in the tested infrastructure as possible (the so-called Vulnerability Assessment) or to implement a scenario aimed at, for example, obtaining indicated valuable information or breaking down the security mechanisms of a critical system (the so-called Penetration Tests). The sociotechnical tests represent a specific type of tests in which both technical vulnerabilities and unawareness of the organisation and its staff are identified and used. During the sociotechnical tests, methods that are commonly used by criminal groups are employed, provided that the methods used do not cause damage to the organisation. During the security tests, both commercial and free tools supporting the work of the team are used. However, its strength lies in its ability to analyse the security mechanisms manually, without the limitations imposed by the ready-made solutions. It enables the achievement of test results of high quality and elimination of false positives , i.e. problems incorrectly diagnosed by automatic software.
Such an approach to tests is possible thanks to the team's extensive experience in the field of design, construction, validation and reverse engineering of a wide range of ICT solutions, as well as practical knowledge of network protocols, numerous programming languages (high-level and low-level languages) and various technologies, both modern and legacy. The work of the team resulted in a report presenting the identified vulnerabilities, which discusses and illustrates the manners in which they are used, describes the associated risks, as well as contains recommendations, the implementation of which is aimed at reducing the negative effects of making use of security errors and, above all, eliminating their causes. The high quality of reports (both in Polish and English) is ensured by the quality assurance process, during which the material is critically assessed in terms of its content, language and formal aspects. Once an organisation has implemented its recommendations, a re-test is carried out in order to verify the effectiveness of the improvements that have been made. At the end of that stage, a final report is prepared, which documents the safety status of the tested solution. The periodical safety tests constitute a method enabling continuous improvement of the level of protection while maintaining an economical approach to the selection of safety mechanisms. They also represent an element of the so called Systems Development Life Cycle – SDLC. As a result, they can be planned in advance and have a positive impact on the design process. The possibility of meeting the expectations imposed by regulations or adopted standards is an unquestionable advantage of a regular assessment of the safety of systems with the use of this method.