Penetration Testing

PCI Consulting Australia offers a Penetration Testing service that adheres to PCI DSS version 3.2.1 requirements, including network and application layer testing both internally and externally.

Our approach to application penetration testing is not only based on OWASP (Open Web Application Security Project) but it is extended with our own unique list of tests which contains over 300 checks. The list is updated on a daily basis as new vulnerabilities are found.

Real world attacks are varied and not limited to automated scans. As such, we perform proper penetration tests including manual attempts to exploit vulnerabilities in line with PCI DSS Requirement 11.3. We can perform the tests onsite or externally via VPN.

After the testing we will prepare a well-structured, easy to read report and provide additional explanation as required with a presentation about our findings.

Vulnerability Assessment

PCI Consulting Australia can also provide internal vulnerability scanning services and report accordingly.

A vulnerability assessment consists of scans and manual vulnerabilities discovery. The main difference between a vulnerability assessment and a penetration test is that during the vulnerability assessment we do not attempt to exploit the vulnerability. We are proving that they exist and explain them in the report.

External Vulnerability Scanning

If you have external IP addresses within your Cardholder Data Environment, they require scanning by an Approved Scanning Vendor (ASV). We provide ASV services via Qualys software and our experienced team can help you define the scope of scanning, purchase the appropriate licences, and enable you to run your own scans each quarter.

Hardware Solution Penetration Testing

Hardware Solution penetration testing looks deep into the locked down capabilities of a device (e.g. an iPad) that is locked down for only one particular purpose. Testing attempts to:

  • Abuse business logic of the application
  • Reverse engineer the application to steal passwords
  • Find communication points
  • Attempt to root the device
  • Test ability to exit core application and enter home screen
  • Inspect external ports on the device
  • Test locking/unlocking mechanisms of the device
  • Audit its configuration

AWS Security Review

More and more vendors are moving their infrastructure to the cloud for many reasons – in particular to Amazon Web Services (AWS). One of the services that we offer is an AWS security review which looks inside the AWS configuration and processes that your organization has in place. Among many other checks, this would typically include:

  • Architecture review of the concept itself
  • Review user permissions and user accounts
  • Review internal policies
  • A configuration review of all enabled services
  • Perform an audit of S3 buckets
  • Verify monitoring processes
  • Review settings of CloudTrail and/or other logging configurations
  • Review encryption protocols
  • Confirm VPC flows

We can also tailor reviews of Azure, Google and other leading platforms upon request.