We instill confidence
We support our customers by auditing the security of their software and their it, identifying their weak points.
days allocated to innovation and R&D
A penetration test follows an iterative cycle of four phases:
Reconnaissance: Auditors explore the target to understand its technical and functional architecture.
Vulnerability Discovery: Depending on the technologies present, a manual search for vulnerabilities is conducted.
Exploitation: Identified vulnerabilities are exploited to confirm their presence and assess their impact.
Pivot: Exploitation may provide access to new components of the target, leading to a new analysis phase.
Objective: Conduct a service with the aim of a realistic attack, typically represented in four major steps:
Open Source Research & Reconnaissance: Gathering information from publicly available sources to understand the target’s digital footprint and potential vulnerabilities.
Social Engineering: Utilizing psychological manipulation to exploit human behavior and gain unauthorized access to the target system.
System Access: Attempting to gain entry into the target system using various methods, including exploiting vulnerabilities, weak credentials, or misconfigurations.
The configuration audit aims to verify the implementation of security best practices on a logical or physical security device.
NEVERHACK auditors rely on various standards and best practice guides depending on the specific equipment and client context (such as ANSSI, NIST guides, etc.).
The configuration audit may cover equipment such as:
- Virtual server templates or workstations (Windows & Linux) and more.
This service will encompass a documentation review and exchanges with technical counterparts to validate various elements such as deployed software or hardware solutions, not only their positioning but also their roles and configurations.
- Technical Architecture Document (description, diagrams, flow matrices, etc.)
- Risk Analysis
- Technical and operational constraints
Mobile application audits are typically divided into three major stages as described below (not exhaustive):
Reconnaissance: Gathering information related to the publisher. Gathering application-specific information.
Static Analysis: Application review (searching for hard-coded elements, poor practices, or any elements posing a risk). Analysis of application behavior (APIs, URLs, data storage, etc.). Attempts to misuse APIs, etc.
- Interception and traffic analysis
- Dump and memory analysis
- Testing SSL pinning
- Attempted injections, fuzzing, etc.
Hardware and IOT audit
Connected devices and the Internet of Things (IoT) are becoming increasingly prevalent in our daily lives.
IoT devices contain proprietary and personal information, access and communicate with various services, through which sensitive information may transit.
This is why it’s crucial to ensure a high level of security for these devices.
Source code audit
In order to carry out the source code audit under the best conditions, NEVERHACK proposes the following approach for technical tests:
- Automated review
- Manual review
It is also necessary to provide a set of prerequisites based on the audited scope (identified during the kickoff phase), such as:
- Non-Disclosure Agreement (NDA)
- Naming conventions
- Source code(s)
Phishing aims to :
- Assess the awareness level of your employees
- Provide a complementary approach to risk
- Enable the planning of tailored awareness programs following the phishing campaign