ISS Audit

De-Risk Tomorrow By Boosting Cybersecurity Today

How we can help

Your attack surface is growing rapidly, always changing and increasingly interconnected. In fact, your security teams face an uphill battle trying to prevent attacks. Cybersecurity audit enables your organization to understand cyber risk so you can make more effective business decisions.

Our experts provide a clear, comprehensible and detailed diagnosis of your current cybersecurity posture, in order to identify gaps in your defenses, implement best practices, stay ahead of emerging cyber threats, build a security compliant business and gain your customer trust.

Any question? Ask our experts.

What we do

We measure your level of protection with a security audit of your Information System by concrete testing that reproduces the conditions of a real cyberattack. Our experts carry out a technical security audit on your information system, in order to evaluate your risk, identify your vulnerabilities, and give you a list of recommendations.

We perform complete technical audits adapted to your needs, in black box, gray box, or white box modes. From internal to external penetration testing, including phishing audit, our work verifies your security from a hacker perspective.

Penetration Testing

Our auditors evaluate the security of the perimeter defined with you according to a methodology specific to the perimeters tested. They simulate the behaviour of a hacker, intruder, or malicious collaborator at different skill levels. Based on the main standards in terms of penetration testing and risk management, the methodology adopted is constantly refined by Stroople. The vulnerabilities discovered on the audited Information System are then qualified and a corrective action plan is developed. It is based in particular on the Penetration Testing Execution Standard, as well as on fundamental resources such as the OWASP Testing Guide, the OWASP Risk Rating Methodology and the Open Source Security Testing Methodology Manual (OSSTMM).

  • Infrastructure and network pentest

    IT infrastructure is central to the day-to-day operations and management of businesses. The purpose of an infrastructure or network pentest is to test the security of elements that can be attacked from the outside of the company (IPs, servers) or from the inside (workstations, network devices, servers).

  • Web security audit

    Web applications are always a particularly vulnerable part of information systems, due to their level of exposure to attacks and the lack of awareness of development teams observed in many companies.

    The purpose of a Web pentest is to assess the robustness of your Web platform.

  • Mobile pentest

    Mobile applications are a weak point of information systems, due to the fact that many developers are not aware of security issues.

    The purpose of a Mobile pentest is to test the application itself, as well as the APIs and servers that host them.

Configuration Audit

The configuration audit is an activity that is conducted to determine that a system or item meets it functional requirements.

The purpose of the configuration audit is to verify the implementation of security practices that comply with the state of the art (best practices, source code, configuration guides, etc.), and with the requirements and internal rules of the audited party with regard to the configuration of hardware and software devices deployed in an information system. 

The audit approach is based on the SANS (SysAdmin, Audit, Network, Security), ANSSI, CIS (Center for Internet Security) and editors’ security guidelines, as well as on the state of the art and your specific business constraints.

Organisational Audit

Our auditors carry out an analysis of the policies and procedures defined by your firm in order to verify their compliance with the security needs. We verify that the policies and procedures defined ensure that the audited Information System is maintained in operational and security conditions and comply with our client’s needs, the state of the art and current security standards. We also verify that these policies and procedures properly complement the technical measures put in place and are effectively implemented.

 

Phishing Audit

Phishing is very popular with attackers to gain initial access to a corporate network in order to steal confidential information and then spread. Although everyone is affected by this type of attack, in practice few users are properly aware of the pitfalls to avoid and the best practices to follow.

In order to respond to this threat we offer four types of phishing campaign:

  • Phishing mail
  • Targeted Smishing
  • Targeted USB Phishing
  • Anonymous USB Phishing

For each type of campaign we silently collect statistics on the actions carried out by the targeted people (reading email, password sending, …).

What makes the difference

Stroople offers customized auditing services with a focus on getting pragmatic, actionable results to protect your business. We offer as “one-shot” security audits as well as recurring security audits at regular intervals.

We use our expertise in attack techniques to identify the technical, logic and human vulnerabilities of your information systems. The exploitation phase of security flaws enables us to determine the real risks of each situation, in order to reduce them efficiently and rapidly.

Our quality methodology allows you to benefit from :

  • Intelligent pentest reports written manually,
  • The complementary view of two security experts,
  • A manual analysis to complete the automatic approach,
  • Clear and precise recommendations, remedies and corrective actions,
  • A report that can be shared with your teams.

Black, Gray or White box? You choose!

We are frequently asked to help advise on the appropriate scope for application penetration tests. Time and budget constraints can often raise the question of whether to use a black box, gray box, or white box penetration test. If all pentesting methodologies worked equally well, only one of them would be used. The main tradeoffs between black-box, gray-box and white-box penetration testing are the accuracy of the test and its speed, efficiency and coverage.

Black Box

In this configuration, our auditors perform the penetration test without any prior knowledge. This type of test aims to analyse the level of resistance of the information system to attacks carried out by a hacker. The primary objective is to determine “Can an external attacker with no prior access, obtain access to the application or data?”. It allows a realistic assessment of the security level of the information system under study.

The major downside of this approach is that if the testers cannot breach the perimeter in the scheduled time, any vulnerabilities of internal services remain undiscovered and unpatched. 

Gray box

Grey Box Testing is a combination of Black Box Testing and White Box Testing techniques. In Black Box, the tester is not aware of the internal workings of the application being tested, while White Box Testing allows the tester to have that knowledge freely. Grey Box Testing grants a partial information of the internal structure to the tester, including the access to internal data and design for the purpose of creating test cases. This type of test aims to analyze the level of resistance of the information system to attacks carried out during the leakage of a user account, or during the compromise of the workstation of an employee or a subcontractor. It allows an advanced evaluation of the security level of the system under study.

The purpose of gray-box pentesting is to provide a more focused and efficient assessment of an Information System’s security than a black-box assessment. 

White box

In this configuration, our auditors perform the penetration test with full access to the source code or configuration elements of the project, the master plans of the established software architecture, and a user account for each type of role defined. This type of test aims to anticipate in the most complete way the risks relating to the perimeter, in particular to evaluate the level of resistance against internal malicious acts or attacks carried out over a long period. This assessment, however, is also the most labor intensive and time consuming. Not all applications are appropriate to assess in this fashion.