DotSec specialises in testing applications and services for its government, financial, legal, investment, gaming, payment and data-centre clients.
At DotSec, we pride ourselves on our independence, and on our ability to bring to focus the skills of experts who do not just test and assess systems, but who have developed, integrated and maintained information systems for over 13 years. When it comes to assessment and testing, DotSec works with you to understand your business processes, identify your assets, and assess and then manage your risks. You can be certain of receiving a complete and concise report since our assessments are not clouded by any partner, reseller or vendor relationships.
Methodology and tools overview
DotSec security professionals conduct a wide range of Threat and Risk Assessments (TRAs) which can be uninformed (blind) or informed, and which can include Penetration Tests (pen tests), code reviews and design reviews. Our core process is consistent and is based on a number of standards, primarily AS/NZS ISO 31000:2009, AS ISO/IEC 27002:2015, and Australian Government Information Security Manual (ISM) and IS18/IT&T-14 (State). Of course, most customers will have some unique requirements (generally with either scoping and availability of scoping information, or custom reporting requirements) and we are of course very happy to accommodate those needs.
Whatever the case, our customers are always presented with a detailed report which includes the following sections:
- Executive summary, which includes summaries of the target of assessment, key findings and key recommendations.
- Scope and asset list, which describes the target(s) of assessment in detail.
- Findings and recommendations, which includes a list of discovered vulnerabilities, the risk associated with each vulnerability, and a summary of related risk mitigation recommendations.
- Threat and risk assessment, which include detailed descriptions of the vulnerabilities or short-comings that were discovered, the techniques that were used in the discovery, and a description of how the vulnerability could be exploited in a successful attack.
- Recommendations, which describes how the level of risk associated with each vulnerability may be reduced to an acceptable level.
We are often asked what tools we use when completing an assessment. The fact of the matter is that any tool is only as good as its owner, and an assessment that is based on the use of a particular tool will always fall short. For the record, tools that we have used in the past include nmap, wireshark, Nessus, various Retina products, MBSA, various proxies, most command-line network utilities, airsnort, most automated hashing tools (Cloud Cracker is brilliant!) and so on. However, it is our assessors’ experience and insight, not the tools, which allow us to consistently deliver high-quality and valuable results.
You tell us! DotSec understand that many customers have particular requirements and goals that need to be met, and so we conduct assessments to suit your requirements. Here we describe the kinds of assessments that we can perform for you.