Cybersecurity

Review and protect your app against security threats

  • Service tailored to the size of your business.
  • A wide range of services will allow us to address your problem comprehensively.
  • Our testing methodology is based on the best and most acclaimed industry standards provided by the Open Web Application Security Project (OWASP).

What is a Cybersecurity Review?

A cybersecurity review provides an in-depth assessment of an application regarding potential security threats and estimates the impact of such threats. As a result, the identified vulnerabilities in IT systems can be fixed or mitigated before malicious attackers can benefit from them.

Thanks to these activities, the risk of unplanned events that may negatively impact the application is minimized. In addition, the client obtains information on the application's security status - its data and architecture - as well as guidance on any necessary fixes.

Cybersecurity auditors comprehensively approach their work. They indicate deficiencies in the technical security of the system and recommend ways to fix them.

Each audit ends with a report containing the audit results, risk analysis, assessment of the current level of safety, and recommendations for its improvement. Depending on the package, the whole process can take from one to four weeks.

Available services

Penetration testing

Simulations of hacker attacks are the most adequate to verify whether the shared solutions (e.g., application/platform/system) and the processed data are safe.

Pentesters focus on identifying obsolete and vulnerable services; vulnerable configurations of services, servers, or networks.

Contrary to an actual attack, penetration testing and auditing are used to identify apparent irregularities, hidden and barely noticeable ones. The main goal is to conduct a thorough vulnerability search process rather than focusing on the first vulnerability encountered.

Meteor

Meteor applications security reviews

While Meteor underneath is just a Node.js application, a few security challenges are unique to the Meteor ecosystem. Because we at Vazco have been working with Meteor since 2012, we know all of the pitfalls in and out.

If you are interested in hardening your application, thinking about going to production, or you are already there, we're here to help.

A typical review will ensure that all of the methods and publications are secured and done correctly. We will also check other attack surfaces, including but not limited to security headers and configuration, DDoS susceptibility, served files, etc.

Recurring Retests & Support

Security is not a one-time thing but rather an ongoing process. To make sure that your app stays safe, we can do recurring cybersecurity retests in intervals that are appropriate for your product.

While a single retest is covered in most of our packages, we can go one step further and incorporate regular security reviews into your development lifecycle.

These retests can cover various scopes and can change over time. It can ensure that your services can stay safe also when your application is in active development.

Applying security fixes and software development

Finding the vulnerabilities is just the first step toward solving the problem. Most of our customers are capable of applying our review findings ourselves, due to clear instructions given in the audit reports.

If for whatever reason your regular software development lifecycle process cannot handle the fixes quickly enough, we can also take care of applying them for you.

OWASP ASVS assessment

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and provides developers with a list of requirements for secure development. ASVS can be used to establish a level of confidence in the security of Web applications.

ASVS report is especially valuable if you want to present a high-level security overview of the system in a standardized and repetitive manner. For startups, this may be crucial during due diligence and acquisition processes.

Other services

We also provide other, well-tailored services for our most demanding clients.

If none of the mentioned services are interesting for you, please reach out to us, and we will try to find the best solution for your custom needs.

Comprehensive packages

Bronze package

The basic package is suitable for small applications, or situations when an essential assessment is sufficient.

The package covers:

  • 10+ hours of security research
  • A written report with findings
  • 30 min follow-up call with our security team

Silver package

The silver package is recommended for small to medium-sized applications where the security is treated very significantly.

It contains more in-depth research and additional services:

  • 20+ hours of security research
  • A written report with findings
  • 60 min follow-up call with our security team
  • Follow-up retests within 60 days

Gold package

Our most popular and comprehensive package.

It is recommended for medium to large applications or products with many services and integrations in use.

  • 40+ hours of security research
  • A written report with findings
  • 60 min follow-up call with our security team
  • Follow-up retests within 60 days
  • Up to 2 hours of post-audit support

Deliverables

You might be interested what is the end-point of the whole story.

Here you'll find what results you can expect.

After the penetration tests are done, you will receive a written report in a PDF format containing all found issues, along with severity level and other details:

  • Issue title / kind
  • Severity level
  • A detailed description of the issue
  • Estimation of the impact on the system
  • Steps required to reproduce
  • Optionally, a possible solution to solve the issue

All issues are grouped by severity levels.

To determine severity level, the auditors evaluate the business impact of issues and the likelihood of being exploited by the possible attacker or even ordinary user.

Besides the written report, some of our packages include a video call with the auditors that we can arrange a few days after the report has been sent.

Once you and your team have become acquainted with the report, our security researchers can answer potential questions that may have arisen.

Our offer includes the possibility of comprehensive retests of previously found vulnerabilities to determine whether they have been properly fixed.

The service can be performed up to 60 days from the date the report was sent. This should give the development team enough time to address the reported vulnerabilities.

Take your business security to the next level

Testing methodology

Our testing methodology is based on the best and acclaimed industry standards provided by the Open Web Application Security Project (OWASP).

The main goal of a review is to find vulnerable system components. The client provides us with residual information about the target against which the attack is carried out. This target can be, for example, a network, server, database, or website.

Pentesters must reflect the hacker's thinking and behavior, that is, do everything in their power to obtain financial and non-financial benefits potentially interesting for the cybercriminal. In the case of a web application, pentesters will focus on finding application-specific vulnerabilities. The service ends with an audit report, containing findings and recommendations.

In the case of reviews that are conducted in the black-box style, we deliberately don’t have access to the application’s source code. We focus on vulnerabilities that are possible to exploit with minimal possible privilege. Our tests mostly rely on manual testing with help of dedicated tools like Burp Suite, ffuf, XSpear, nmap, Nikto, Chrome Developer Tools, CyberChef, and python3.

Scope of our services can also cover additional areas depending on the case:

  • Collecting data on the functioning of the system and security requirements.
  • Performing a multi-level analysis of the obtained documentation, design specifications, technical and operational assumptions, and policies.
  • Conducting a multi-level analysis and diagnosis of the IT environment.
  • Application of professional tools for protected and generally accessible areas and verification of reports received. Checking the level of protection of the existing procedures and system components.
  • Checking the methods of gaining access to the system and possible forms of its operation.

Our reviews are following the OWASP guidelines from the Web Security Testing Guide methodology and the OWASP Top 10 Web Application Security Risks.

Our work

Check out stories of our business partners we have helped in the cybersecurity area

MaestroQA

Modern QA software to help CX teams understand and create the best customer experiences on a project of any scale.

Onyx

Low Code Development Platform for workflow management: processes, models, and document management.

aleno

A tablet-focused reservation management system for restaurants.

Top B2B Companies in Poland 2021

Contact us

Before we start, we would like to understand your needs better. We'll review your submission and schedule a free consultation call.

Michał Zacher

Michał Zacher

CEO at Vazco

Like what we do? Let’s talk about your project and build something your users will love.