Penetration Testing Methodology

Blue Frost Security has developed a methodology to detect and analyze security gaps, flaws and holes systematically. The Blue Frost Security methodology described below closely follows and extends the general proceedings for penetration tests determined by the Federal Office for Information Security (BSI).
The complete security audit is conducted using BFS expert knowledge and “best practice” methods (i.e. OWASP Testing Guide v3 including OWASP Top 10 (2013), OSSTMMv3, BSI Penetrationstest, WASC, SANS Top 25, NIST SP800-115). The tools utilized by BFS are either in house developments or publicly available specialized tools as well as frameworks coming from well-known and reputable software vendors (all proof-tested by the BFS Labs).
During our tests no intentional damage or interruption of services is done to customer’s systems, however we recommend the use of test environments for penetration testing when possible.
Our projects are typically divided to the following phases:
  1. Scoping and pre-engagement. Together with the client clearly outlining the scope and the prerequisites of the test, followed by the other necessary preparations and a kick-off meeting.
  2. Passive information gathering – collecting information without interaction with a target using publicly available open resources.
  3. Active information gathering and understanding the logical and physical topology. Various utilities, frameworks and scanners are used during this phase to identify characteristics of target systems (infrastructures) as precisely as possible (i.e. open ports, services and software versions and configurations, patch states, etc.) 
  4. Exploitation – modelling potential attackers’ actions in order to compromise target systems (infrastructures) via identification and exploitation of various security weaknesses (known security holes, programming faults, insecure configurations, weak password, etc.). The BFS security experts have extensive knowledge and experience in this area and will program, if necessary, attack software to conduct specific security tests adjusted to the respective environment and situation.
  5. Post-exploitation and analysis. Upon the successful compromise of the system BFS will (if desired) attempt further penetration deeper into other associated systems (backend) or a corporate infrastructure (intranet). When BFS is not able to successfully compromise the systems, BFS will give an evaluation of the remaining risks.
  6. Reporting – BFS’s goal is to provide a customer a highly valuable report which can be used as a working tool in the security management and improving processes. Thus BFS reports contain parts targeted at management as well as technical departments and consists of the following typical parts:
    • Management summary, outlining general security overview (level), associated risks and recommended security measures;
    • Description of the used methodology and performed checks which provide a customer with an overview of the assessment coverage, thus benchmarking the delivered results.
    • Detailed technical description of all identified security weaknesses along with the associated risks, reproducible validation and proof steps and recommended solutions.
  7. Quality assurance. To make sure that no vulnerabilities were overlooked by the BFS analysts, a cross-check and an additional manual-based audit with cutting edge security knowledge and tools from the BFS lab are applied to results of all projects.
  8. Maintaining BFS expertise. To maintain the unique proprietary BFS knowledge base, interesting and intricate project cases are discussed and investigated among the whole BFS team. Customers’ feedbacks are also analyzed during this phase and used further for BFS process improvements. 
As an important part of project communications, BFS analysts send regular status reports (daily, weekly, etc. – as desired by a customer), thus keeping customers informed about current project activities and milestones. Customers get also immediately informed if any critical security vulnerabilities were identified and verified or in case of identifying tracks of previous or current illegal activity at customer’s systems.
We treat our customers’ data very seriously, therefore BFS has developed and strictly follows its own Customer Data Protection Policy – all sensitive customer data is to be wiped from BFS systems after submitting the final report.