Penetration tests

""
""

Objectives :

To simulate the actions of an attacker on the Internet or of a person with access to the client's internal network

 

  • External (from the Internet)
  • Internal (connected to the company's network)
  • Scope of implementation: internal network, applications, embedded systems, etc. :
    • "Black Box": Without information on the system being audited. These tests simulate the attacks of a hacker on the Internet.
    • "Grey Box": With knowledge of application accounts that allow the security level of the perimeter functionalities to be verified once authenticated.
    • "White Box": By having knowledge of application accounts and all the architecture elements of the audited system. These tests enable a more relevant opinion to be given on the level of application and network protection.

Architecture audits

The architecture audit is usually part of a complete audit cycle and is often performed as a preamble to penetration tests or configuration audits.

It is carried out on several aspects:

  • An analysis of the various functional and technical supports: addressing plan, partitioning of the information system into sub-networks, access-list, etc.
  • A study of the technologies and methods selected and their implementation methods (for example: a focus on authentication modules and filtering mechanisms).
  • A global approach to the perimeter in order to functionally model the system and identify the most relevant attack vectors in relation to the data flow to be protected.

Organisational and physical audits

Objectives:

To ensure that the safety management processes described and applied comply with the auditee's safety requirements, its internal reference system (if any), the state of the art or the standards adapted to (or in force in) its scope:

 

  • Compliance of the internal security repository

Documentary adequacy: strategy, action plan, policy, security guidelines, charter, security operating procedures (rights management, IT continuity and recovery, backup and restoration, maintenance in secure conditions, incident management, etc.), etc.

 

  • Compliance of the physical and logical security of the information system

Adequacy and effectiveness of technical security measures: physical access to equipment, logical access (identification/authentication procedures), logical and physical partitioning, interconnection security, configuration and parameterisation, monitoring and detection, secure development, etc.

 

  • Compliance of the organisation's physical security

Adequacy and effectiveness of technical security devices: physical access (badges, etc.), intrusion detection (alarms, video protection, etc.), environmental security (fire, flood, earthquake, energy rescue, etc.).

Source code audits

""
""

Objectives :

  • Scope of CC (ISO/IEC 15408) or CSPN assessments, or applications
  • Analyse and detect design errors that may lead to non-compliance with good programming practices, and cause inconsistent behaviour of the application that may lead to a vulnerability if exploited
  • Analyse and detect potential attack paths through development errors that could lead to exploitation of the shortcomings by an attacker (lack of access control on sensitive functionalities, poor management of input data, etc.). 

Configuration audits

""
""

Objectives:

To bring our clients' infrastructure into compliance with existing internal guidelines, and also with "best practices" in terms of security (standards, configuration guides, etc.):

  • Non-intrusive (unlike penetration tests)
  • Does not require any software installation on the systems to be audited
  • Can be carried out perfectly on systems in production, without risk of loss of data or service.

PASSI audits

ANSSI Security Visa
ANSSI Security Visa

Oppida is qualified as an Information System Security Audit Provider (PASSI) according to the reference system defined by the ANSSI for all scopes, namely

  • Architecture audits
  • Configuration audits
  • Source code audits
  • Intrusion tests
  • Organisational and physical audits

Regulatory audits

We carry out numerous audits based on specific standards:

 

Compliance :

  • PCI-DSS compliance audits (Visa Master-Card)
  • ANJ compliance audits: game rules compliance audit, random number generator audit, code audit, certification audit, etc.

 

Certification :

  • HELIOS compliance audits: approval of dematerialisation systems for public accounting operations (Order of 27 June 2007)
  • ACTES compliance audits: approval of systems for the remote transmission of documents subject to legality control in the context of the dematerialisation of local authority documents (Order of 19 October 2005)

 

Certification and qualification :

  • Evaluation of eIDAS compliance, with a view to qualification by ANSSI for all eligible trust services, namely
    • Issuance of qualified electronic signature, electronic seal and website authentication certificates
    • Qualified validation of qualified electronic signatures and qualified electronic seals
    • Qualified storage of qualified electronic signatures and qualified electronic seals
    • Qualified electronic time stamping
    • Qualified electronic registered mail
  • PVID evaluation on the 3 areas of expertise recognised by ANSSI, namely
    • Conformity assessment
    • Computer" tests relating to biometrics
    • Physical" tests relating to biometrics
  • Audit RGS within the framework of certification according to the RGS
  • Audit of industrial systems 

 

Other specific audits:

  • Audit of specific technologies: Wifi, VOIP, mobile terminals, Bluetooth
  • Approval and audit of electronic voting systems

Why

choose Oppida?

1

A "tailor-made" offer

Expertise, assessment and consulting services to manage your digital risks.
""

A trusted third party

The approvals and accreditations obtained are all guarantees that help to ensure the absence of external pressure and the confidentiality of the work carried out.
3

Recognised expertise

Oppida is PASSI LPM qualified "information systems security audit providers qualified for national security purposes".