Technical Assessment

Penetration Testing & Vulnerability Assessments

Penetration Testing & Vulnerability Assessments (sometimes collectively referred to as “pentesting”) measure the ability of your technical environment to withstand an attack launched by an attacker seeking to undermine the security of the infrastructure, systems, or data stored within them. During this type of assessment, Summit’s team of security engineers use a variety of technical tools coupled with manual testing techniques to discover, test, analyze, and describe weaknesses in the environment.

This type of engagement gives clients a detailed understanding of risks within their technical infrastructure.

Common types of technical vulnerability tests performed by Summit:

  • External Attack Surface Assessment
  • Internal Vulnerability Assessment
  • Wireless Network Security Assessment
  • IoT (Internet of Things) Security Assessments

Application Specific Testing

A specific type of penetration testing or vulnerability assessment, an Application Security Assessment is performed using a set of technical tools and manual testing techniques to examine an application or set of applications for common weaknesses or vulnerabilities that may cause the application to behave in an inappropriate manner, or expose confidential data to unauthorized parties. During this type of testing, we examine applications for weaknesses in design, deployment, and configuration. Common findings often include SQL injection, cross-site scripting, authentication flaws, cryptographic weaknesses, and other vulnerabilities commonly noted in the OWASP Top 10 List of application vulnerabilities. Beyond the OWASP Top 10, Summit Engineers perform a great deal of manual testing, often assisted by source code, application architecture reviews, and threat modeling to generate accurate and actionable results for our clients.

This type of engagement gives clients a detailed understanding of risks within an application.

Common types of application security assessments performed by Summit:

  • Unauthenticated Application Security Testing (aka “black box” testing)
  • Authenticated Application Security Assessments, often accompanied by source code (aka “white box” testing or Code-assisted Penetration Testing)
  • Application Architecture Threat Modeling
  • Source Code Security Review

Social Engineering Susceptibility

Whether by malware, such as ransomware or other viruses, or through the use of deceptive techniques such as phishing; social engineering or “hacking the human” is an increasingly common threat vector used by attackers, from script kiddies to organized crime to foreign actors. Sadly, it is very effective.

Summit’s assessment activities can simulate a variety of different social engineering attack scenarios in a safe and constructive manner designed to measure and report on our clients’ ability to fend off a real social engineering attack.

This type of engagement gives clients a detailed understanding of how their staff would respond to an actual social engineering attack against their organization.

Common types of social engineering exercises performed by Summit:

  • Email Phishing Campaigns
  • “Red Team” Facility Physical Security Assessments
  • “Malware” Infection Susceptibility Testing
  • Phone Scam Susceptibility

Reporting

All of our technical testing engagements result in a “Findings Report” deliverable that is shared with our clients. This report documents, in technical detail, vulnerabilities and weaknesses that could be exploited to compromise the confidentiality, integrity, or availability of a client’s systems, data, or environment (depending on the scope of the engagement). Our reports are much more than standard automated security tool output. Each report incorporates the output from the security tools we use, documented vulnerabilities discovered using manual testing techniques, detailed technical proofs of concept and, customized recommended steps that should be taken to eliminate vulnerabilities and reduce risk in the client’s specific environment. We support our clients by delivering the reports in a collaborative meeting where technical details are explained and questions are answered by the team that performed the testing.