Testing checklist

Network pentest: Identify vulnerabilities and perform exploitation to assess the impact on the network systems.
Server pentest: Identifying vulnerabilities and perform exploitation to assess the impact on the servers.
Web Application pentest: Identify vulnerabilities and perform exploitation to assess the impact on Web applications.
Mobile App pentest: Identify vulnerabilities and perform exploitation to assess the impact on Mobile applications.
ATM system pentest: Identifying vulnerability and perform exploitation to assess the impact on ATM system and related components.

Implementation method

Step 1
White-Box Testing: The pentester is provided with all information related to the object being assessed (model, source code, accounts, ...), acting as a member of the organization. The pentest process requires the pentester to have in-depth skills in programming and systems.
Step 2
Gray-Box Testing: The pentester is provided with a part of information (not all) related to the object being assessed (accounts with lower privileges, ...).
Step 3
Black-Box Testing: The pentester is not provided any information related to the object being assessed, acting as an external attacker.
Step 4
In addition to finding and exploiting published/known vulnerabilities, or vulnerabilities from customer's developer team, GTSC also searches and exploits the 0-day vulnerabilities existing in the 3rd party components (libraries, extensions, frameworks, …) which have not been published in the world.

Results

The result report includes the following:
Overview of objectives, scope of implementation.
Summary of approach, implementation methodology.
A list of identified vulnerabilities, and their severity.
For each vulnerability: severity level (critical, high, medium, low) / CVSS score, detailed description, reference link, location/parameter of that vulnerability on the system, analysis of the possibility to be exploited from internally/externally, proof of concept (PoC), steps to reproduce PoC, ...
The remediation for each vulnerability:
  • Detailed troubleshooting guide: instructions to fix source code, instructions to configure the system, links to download the patches, ...
  • Plan to minimize risks or temporarily fix vulnerabilities that cannot be completely handle.