Security Testing

No two organizations are identical, which is why all of our services are tailored to meet your organizations unique needs. We’re entirely a cyber security testing and training company, which means that there is no implicit vendor bias and our testing is always impartial and free of any conflicts of interest.

Penetration Testing

  • Network penetration testing
  • Application penetration testing
  • SaaS & Cloud
  • Wireless
  • Mainframe
  • Social engineering (Phishing, Vishing, In-Person)
  • Red team
  • Embedded device testing
  • Radio Frequency and Protocol analysis
  • Internet of Things (IOT)
  • Smart Grid security
  • Industrial Control Systems (ICS)

Application Security

  • Web Application Vulnerabilty Assessment
  • API Testing
  • SaaS & Cloud
  • Source Code Review
  • Thick Client Assessment
  • AppTrust Application Certification
  • Agile SDLC Integration and Testing

Mobile Devices

  • Mobile Device Application Testing
  • Mobile Application API
  • Source Code Review

What to expect

From the very start of engaging FYRM, you will be assigned a lead project point of contact who will guide you throughout the entire process. Your point of contact will serve as both the project manager and your senior technical resource for the engagement. The project manager and all team members will possess at least one industry certification (OSCP, CISSP, CISM, GPEN, etc.)

An engagement typically consists of scope confirmation, a kickoff meeting, weekly or more frequent status updates, knowledge transfer, report delivery, an optional re-testing period and a final outbrief. We encourage client staff to observe and monitor the testing process to learn from our experience, approach and methodology.

Downtime Reduction

Through a variety of methods, we make every effort to reduce downtime and impact to production environments. FYRM will tailor its testing where possible, while informing you of any reduction in testing effectiveness or increased risk exposure.

Frequent Communication

Status updates are provided on a weekly basis, at minimum. Depending on the nature of the test, if any high risk issues are discovered, FYRM personnel will notify client staff immediately. To assist in remediation activities, will share detailed exploit "walk-throughs" which demonstrate all steps required to replicate the exploit.

Accuracy and Quality

Upon completion of technical testing and prior to report delivery, all deliverables undergo a thorough internal peer review process to ensure all testing is thorough, consistent and accurate. Relying on our ISO/IEC 17020:2012 accredited quality system, our testing is accurate and repeatable.

Testing Methodology

FYRM conducts assessments utilizing our SAVE methodology. The SAVE methodology is based on industry regarded best practices and standards to ensure each engagement is performed in an efficient, consistent, and thorough manner. Specifically, the SAVE methodology provides a simple and repeatable process that incorporates NIST SP800-115, ISSAF, OSSTMM, and OWASP principles.

Survey

FYRM Associates will review the target environment's architecture and determine an optimal plan of attack. Depending on the engagement goals, FYRM may perform open source intellegence and information gathering. FYRM will utilize a combination of manual techniques and automated tools to map and assess your environment in the most efficient manner. From simple environment footprinting, vulnerability testing, discovering 0-day vulnerabilities and cross referencing scan data from all sources, the Survey phase provides accurate results that eliminate false positives and prevent false negatives.

Analyze

FYRM Associates evaluates each vulnerability identified during the Survey phase on an individual and combined basis in order to identify potential attack vectors. Each vulnerability is also analyzed according to the Common Vulnerability Scoring System (CVSS) to determine the corresponding severity scores as they relate to your organization. The attack vectors are analyzed and assigned a risk rating by calculating the exploitability of the vulnerabilities, attack probability, and impact to your organization. The combination of vulnerability severity scores and attack risk ratings provides your organization with an accurate portrayal of the environment’s overall information security posture.

FYRM Associates also performs “Root Cause” analysis to determine how the vulnerability was introduced in the environment. The result of FYRM Associates’ in-depth analysis is a prioritized Vulnerability Remediation. Your remediation efforts are reduced and simplified by our collaborative severity scores and risk ratings, Root Cause analysis, and Vulnerability Remediation Roadmap.

Verify

In coordination with your organization, FYRM Associates exercises penetration testing by simulating in a controlled scenario the attack vectors evaluated during the Analyze phase. Penetration testing allows your organization to more accurately ascertain the impact on the confidentiality, integrity, and availability of attacks against the networks, systems, applications and most importantly, the information that resides in your infrastructure. FYRM Associates updates the vulnerability severity scores and attack vector risk ratings based on the penetration test results. The Vulnerability Remediation Roadmap may also be modified to incorporate the information obtained during the Verify phase.

Educate

Through a combination of knowledge transfer, status updates, and engagement meetings, FYRM utilizes every opportunity to educate your organization on our process and assessment findings. These practices ensure your organization is confident on how to efficiently and effectively improve your organization's information security posture against the ever-changing threat landscape.