Information Security Professional Services

Penetration Testing Services

Penetration testing and Offensive Information Security is our specialty and we have been performing these types of engagements for over a decade for organizations of all sizes. Whether you require a penetration assessment for regulatory compliance reasons or are just curious about the effectiveness of your organization’s security controls, we have performed tens of thousands of these types of assessments for organizations. We are passionate about helping organizations discover their greatest risk and guiding them through risk reducing remediation. At Shamar Information Security LLC, we understand that the quality of a penetration assessment matters and is just one means by which to identify risk within your organization.

We offer the following customizable Penetration Testing consulting services:

  • The Internal Penetration Assessment service attempts to identify, and exploit, vulnerabilities from the perspective of an anonymous malicious user, or an insider threat, positioned on an internal information systems network within the organization. Shamar Information Security LLC performs this service using a grey-box testing approach typically relying on limited information provided by the organization. A black-box or full on white-box approach is available upon request.

  • The External Penetration Assessment service takes the perspective of a malicious user attempting to breach or bypass the information security controls between two (2) information system networks. This is commonly performed from the perspective of a malicious user on the Internet trying to bypass perimeter security controls to breach an organization’s internal information systems and network(s). Shamar Information Security LLC performs this service using a grey-box testing approach typically relying on limited system and network information provided by the organization. A black-box or full white-box approach is available upon request.

  • For the scenario-based Penetration Assessment, we will work with you to develop a customized penetration testing scope and set of assessment parameters based on the number of scenarios against which your organization would like us to test. This type of assessment typically has a more narrow focus, or goal than our typical penetration assessments. The following list highlights example use cases for this type of service:

    • Mergers and Acquisitions

    • Assumed breach

    • Hardened environment breakout

    • Privilege escalation focused

    • Lateral movement focused

    • External Penetration Assessment with Social Engineering

    • Internal Penetration Assessment with Social Engineering

    • Detection avoidance

  • Our Web Application Penetration Assessment provides your organization with a thorough, deep-dive examination of your company’s web application against industry best practices and follows our proprietary application security testing methodology. This type of assessment focuses on using automation to supplement a manual testing heavy to identify and attempt to exploit vulnerabilities with a web application and its infrastructure. As such this assessment requires a bit more time to complete when compared to the Web Application Vulnerability Assessment service offering.

  • The Web Application Vulnerability Assessment is a slightly shorter engagement than the Web Application Penetration Assessment and focuses more on vulnerability identification through automated testing. Manual testing is used for finding validation and false positive analysis only and little to no vulnerability exploitation is provided. This type of assessment provides a cost effective option for organizations that want to bridge the gap between Dynamic Application Security Testing (DAST) and a full blown Web Application Penetration Assessment. Like the Web Application Penetration Assessment this testing is performed with and without application user credentials and follows our application security testing methodology.

  • The API Penetration Assessment service focuses solely on examining an organization’s API against Application Security best practices using our application security testing methodology. Shamar Information Security LLC performs this assessment from a white-box, full disclosure approach using customer provided API documentation and sample requests and responses. This assessment uses automation to supplement a thorough manual heavy testing approach.

  • Binary analysis is a passion of ours and we apply that love to our Desktop Application Penetration Assessment service offering. We examine all aspects of the desktop application against application security best practices to identify and attempt to exploit vulnerabilities associated with memory interaction, file system interaction, web application interaction, network interactions, input validation, missing or insufficient compile-time protections, etc. Each desktop application is different and we customize this service offering to provide a thorough and cost effective solution.

  • Mobile Application Penetration Assessments are more complex to perform than most organizations may realize due to the specialized requirements needed to set up an effective testing environment. We take care of that stress for you and have been doing so for the majority of our career staying up to date on mobile security and mobile risk trends. Our assessments are designed to perform a thorough examination of mobile applications and their interaction with the mobile device, any APIs used for mobile application communication, and API infrastructure supporting the mobile application APIs. We attempt to identify and exploit vulnerabilities in iOS and Android mobile applications that your organization develops. Our testing approach follows our application security methodology and additionally employs analysis and comparison against the OWASP Mobile Top 10 and the OWASP Mobile Application Secureity Verification Standard (MASVS).

Application Security Advisory Services

Throughout our lengthy careers, we have guided organizations of all sizes through their Application Security journey as trusted advisors. Our experience stems from helping many of these companies harden their core products through application security advisory consulting as an extension of their own application security team. These engagements are typically longer term projects when compared to penetration testing services and are tailored specifically to the organizations needs. As such, deliverables vary for this type of engagement as do project milestones and delivery timelines. We help organizations realize success during these engagements by ensuring open and timely communication and continued collaboration throughout the entire project.

Some common use cases for this type of service include the following:

  • Organizations looking for guidance on growing or maturing their own application security program have used our consultants to guide new policy, process, or procedure improvements, identify maturity gaps using common industry frameworks and best practice guidance.

  • Common use cases for this type of assessment include aiding organizations with evaluating the effectiveness of application security automated testing tools with the intent of guiding an organization to an unbiased, results-based purchase of one tool that aligns with organization requirements. This type of assessment involves Shamar Information Security LLC consultants working with your organization to develop a project plan communicating deliverable expectations, organization requirements, and project milestones.

  • As a separate project, or combined with a tool evaluation engagement, we will assist your organization as an extension of your application security or product security team to facilitate successful developer on boarding and integration for purchased application security tools. This is a customizable offering allowing the organization to utilize our consultants as little or as often as needed within the communicated engagement timeline. A project plan is developed and agreed upon at the onset of the engagement to effectively set project expectations and milestones. Deliverables for this type of assessment vary and are dependent upon the requirements for each engagement.

  • This longer-term engagement provides your organization with experienced application security consulting to supplement your application security or product security team by integrating our consultants into your application security program. This service is designed to run several months to aid in application security initiatives that are more ad-hoc in nature.

  • In some cases, organizations need help in prioritizing identified vulnerabilities. This type of engagement is designed to aid product development teams in prioritizing risk reducing remediation tasks following an assessment or other application security testing activity.

Contact Sales

Assessment Methodology

The proprietary methodology used for penetration testing services draws from the Penetration Testing Execution Standard (PTES), the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and NIST Special Publications (SP) thereunder, and the MITRE ATT&CK® framework. Our Application Security Testing methodology relies heavily on the Open Web Application Security Project (OWASP) Web Security Testing Guide, along with level-1 and some level-2 requirements from the OWASP Application Security Verification Standard (ASVS). All of our testing methodologies align with requirements and guidelines outlined in regulatory compliance guidance such as those found in the Payment Card Industry (PCI) Data Security Standard (DSS).

Risk Rating Methodology

At Shamar Information Security LLC, we provide quantitative risk ratings on our assessment reports using the current version of the Common Vulnerability Scoring System (CVSS), and qualitative risk ratings using the NIST Risk Management Framework (NIST SP 800-53r5) based on our understanding of your organization and business at the time of each assessment. If there are other risk frameworks your organization employs, we are more than happy to customize our reports for your organization’s requirements. Letters of attestation with and without summarized risk details are available upon request at no extra charge.