Q: What are the advantages of eSurfing Cloud Penetration Test?
A: 1. Industry-leading consulting team
With reference to international and national norms, we conduct scientific and effective risk assessment of the system. Our consultant team has professional qualifications such as CISP, CISSP, ISO27001, Security+ and many years of project experience.
2. Operator-level practical capabilities
Our technical consultant has many years of experience in information system security assessment and assurance services, with extensive experience in network and system rectification projects.
Through scientific and standard service processes, as well as complete project management and quality assurance mechanisms, we provide comprehensive and reliable security services.
Q: What are the specifications for cloud penetration tests?
A: For different organizations, it is recommended to divide them into three specifications according to the actual situation:
Small application system, up to 1 application system;
Medium application system, up to 5 application systems;
Large application system, up to 20 application systems;
Other specifications need to be negotiated on a case-by-case basis.
Q: Are there any security risks associated with eSurfing Cloud security penetration test service?
A: Due to the fact that some of the functional options of the automated scanning tools used in penetration tests are tested using simulated attack methods, as well as factors such as the customer's specific system architecture, the process of scanning may cause some impact on the system, introducing uncertain risks of system downtime and service outage. Specific risks will be identified and contingency plans developed prior to assessment.
Q: What does the eSurfing Cloud security penetration test service include?
A: 1. Authentication Test
Check whether the authentication requirements in the security design requirements are met, and check whether there are defects such as password cracking, login playback, and login bypass to ensure that the login verification is secure and effective.
2. Authorization Management Test
Check whether the page meets the access control requirements in the security design requirements, and check whether the user successfully proceeds with the authorized services without authorization.
Check for cross-site request forgery, path traversal, authorization bypass, session replay, etc.
3. Data Validation Test
Check whether the input validation requirements in the security design requirements are met, and ensure that the application system properly displays business processing information.
Check for SQL injection, cross-site scripting attack, XPATH injection, SSI injection, command injection,
buffer overflow, file upload verification, unverified URL redirect.
4. Availability Test
Check the system for account lockout design and application denial of service defects.
5. Configuration Management Test
Check for application system vulnerabilities caused by middleware configuration defects.
Check for SSL vulnerabilities, sensitive information leakage, default files and directories, infrastructure configuration management, non-essential file retrieval, HTTP request method abuse, directory indexing
6. Backdoor Test
Check whether there are backdoor programs on each page of the application system.
Q: What is the schedule for each stage of the eSurfing Cloud security penetration test service?
A: Customer confirmation: Week 1, it is expected to take one week for both parties to negotiate the testing plan;
Testing stage: Week 2-3, it is expected to take two weeks;
Rectification and Retest: Customers can submit a retest application within 1 month after submitting the test report, and the retest will be completed within 1 week;
Quality assurance: 12 months from the date of delivery of the report;
Note: Customers can only initiate refunds during customer confirmation. Once the test begins, refunds will not be accepted.
Q: What are the network requirements for eSurfing Cloud security penetration test service?
A: Penetration test can be provided when the application system network and scanner network are reachable. The Internet is reachable by default, and an Intranet Address requires the deployment of a scanner on the Intranet.
Q: What is the process of eSurfing Cloud security penetration test service?
A:
Q: Is a penetration test equivalent to hacking into a system?
A: The biggest difference between penetration test and hacking is that the former is authorized by the customer, using controlled, non-destructive methods and means to discover weaknesses in target and network equipment, thus helping administrators understand the problems faced by their networks.
Q: Does it affect the operation of business system?
A: In terms of schedule, we will arrange the test during off-peak hours, which will not affect the continuity of business system.
Q: What systems does the eSurfing Cloud penetration test support?
A: eSurfing Cloud Penetration Test Service is based on the traditional B/S structure and does not support the application penetration test of APP currently.
Q: How does a penetration test identify an application system?
A: A third-level domain name is used as the unique identifier of an application system, and multiple third-level domain names will be regarded as multiple application systems.
For example, www.ctyun.cn is an application system, and the path www.ctyun.cn/+ is also the same application system; conversely, different third-level domain names are different application systems, such as www.ctyun.cn and desk.ctyun.cn, which are two different application systems.
Q: What tools are used in penetration tests?
A: Security tools used for testing include but are not limited to: Green Alliance wvss, Nessus, Awvs, Nmap, SQLmap, Kali-linux, Burpsuite, etc. We also provide powerful plug-ins for detecting vulnerabilities, such as SQL injection, cross-site scripting, leakage of sensitive information, directory listings, etc. The basic directory structure of the website is obtained through web crawlers, and the security performance of the website is tested through powerful vulnerability plugins.