Service Overview
This service provides a sampling-based cybersecurity due diligence (DD) assessment focused on evaluating the maturity level of a company’s product. The assessment is performed using a grey-box methodology, where the assessment team is granted access to relevant parts of the product and its corresponding source code on demand.
The primary objectives are to estimate the application’s security posture, identify high-risk vulnerabilities, and recommend initial remediation steps for the assessed entities.
Methodology
This hands-on assessment is performed through manual penetration testing, supported by automated tools and scanners, and follows a structured methodology. Application-level testing is based on the OWASP Top 10 standard, and findings are risk-rated using CVSS 3.1.
The assessment includes testing from both anonymous and various authenticated user roles in the application, and applies to various types of software: web applications, APIs, desktop applications, mobile applications, and more.
Activities include:
Scanning application servers for infrastructure-level vulnerabilities
Using automated scanners to detect common application vulnerabilities
Manual penetration testing to uncover vulnerabilities that automated tools may miss (e.g., business logic and authorization flaws)
Identifying session management issues such as OAuth and JWT misconfigurations
Detecting injections and other implementation vulnerabilities, including XSS, SQL Injection, NoSQL Injection, and others
Attempt to exploit the identified application vulnerabilities
Performing additional exploiting techniques such as cookie poisoning, business logic exploits, flooding proof-of-concept. and more
CYE will not perform the following:
Data tampering of production data, or exfiltration
Financial fraud activities
Denial-of-service attacks
Intentional access to sensitive customer information
At the conclusion of the assessment, findings are risk-ranked based on their potential impact.
Prerequisites
The following information is required to initiate the assessment:
Application access details if the application is not publicly exposed (VPN)
At least two user accounts per significant user role
Mobile application APK/IPA compatible with the development environment (preferably without SSL pinning)
Infrastructure architecture documentation
Description of the application's purpose and key features
API documentation
Dev environment with dummy/test data to avoid availability issues
WAF IP exclusions
Defined scope and any excluded feature. For example, functions/features to avoid
Optional: specific scenarios to focus
Customer Engagement
A 1–2 hour scoping session with a representative to define attack scenarios
Weekly 1-hour meetings with a developer or technical stakeholder for specific technical Q&A during the assessment
Assessment Duration
10–30 days, depending on the application’s size and complexity. The mitigation support timeline depends on client progress and needs.
Relevant Standards
OWASP Top 10
OWASP Web Security Testing Guide (WSTG)
CYE proprietary methodologies and tools
Security Domains Covered
Application-level security
Sensitive data and information management
Servers, network equipment, and endpoints security