Security Testing

Silicus has a suite of test management services to cater to the challenging security requirements of the Provider and Payer industry. We have expertise in the most popular and widely-used testing tools for automation, security testing, test and defect tracking, reliability testing, performance testing, functional testing, code scanning and more. Some specific examples of security testing tools are QTP, HP LoadRunner, Selenium, HP Test Director / HP Quality Center, Test Link, QATraq and many more.

Apart from the wide-range of diverse testing solutions, Silicus also boasts expertise in niche testing frameworks like system vulnerability and penetration testing which provides a comprehensive solution for data security. Listed below are the highlights from our portfolio of niche testing services:

Vulnerability Scanning

Vulnerability scanning identifies well-known (and often exploited), platform related vulnerabilities such as out-of-date software, missing security patches, mis-configured infrastructure, deviation to security policies etc. Some of the well-known web application vulnerabilities that we test for are:

• Improper input validation
• Parameter injection and overflow
• SQL injection attacks
• Cross-site scripting vulnerabilities
• Cross-site request forgeries
• Directory traversal attacks
• Buffer overflows
• Inappropriate trust (i.e. client side)
• Poor session management
• Improper authorization and access control mechanisms

We perform iterative vulnerability scanning during the application maintenance phase on both the application and infrastructure. This ensures that no new security risks are introduced and that the level of security is intact. Also, it is an excellent foundation to penetration testing.

Threat Modeling

Identifying security flaws during the design phase saves a lot of effort in the later stages of development.

We conduct intense, technical discussion with the development team to understand the application's architecture and identify software vulnerabilities at the time of design. This includes architectural risk analysis, flaws in business logic and overall design review. The analysis is used to design 'Threat Profiles' which are the list of security threats to an application. This in turn is used as input for penetration testing.

Script Based Penetration Testing

Penetration testing ensures that only the users granted access to the system are capable of accessing the application through appropriate gateways. It is usually performed during system integration testing to simulate application abuses and ensure that any vulnerability uncovered is properly addressed.

To perform penetration testing, Silicus uses cues from vulnerability scanning and threat modeling to baseline our approach for penetration testing. Thereafter, we work closely with your business analysis, development, and quality assurance teams in quantifying risk and providing recommendations for the identified vulnerabilities. Ethical hacking, dynamic analysis and black box testing are some of the processes that we follow for penetration testing.

Code Review and Scanning

Security targeted code reviews are valuable in identifying functional and implementation specific bugs, application vulnerabilities and security risks induced through inefficient coding techniques.

We leverage both manual inspection and automated static analysis scanning tools to identify vulnerabilities in the application; and in order to minimize these coding vulnerabilities, we follow multiple processes like code inspection, static analysis and white box testing.

Network Security Assessment

As the complexity and sophistication of medical technology increases, the need to secure the networks that transmit sensitive information is paramount. Network Security Assessment is a comprehensive review of an organization's network. Silicus includes both the external infrastructure as well as the corporate network in this exercise. Based on the vulnerabilities found, the security posture of the customer's network is determined and reported.

Also, we hold strategic partnership with pioneers in data security, compliance services, IT governance, risk management and network security. This makes the portfolio of our testing services a complete package for all round security and accuracy. Some of the highlights are:

• Wireless Audit - SSID identifi¬cation, AP security, encryption verifi¬cation, MAC spoofi¬ng and perimeter testing
• Vulnerability Scans - Port scanning, IP spoofi¬ng, ARIN auditing, Web server, email and FTP auditing
• Penetration Tests - Platform exploits, scripting errors, buffer overflows, update neglect and patch degradation
• Device Management - Firewall/IOS confi¬guration, change management and policy auditing/implementation
• Physical Penetration - Facilities audits location hardening, social engineering and dumpster diving
• Remediation - Complete resolution of all issues identifi¬ed in our audits and testing
• Training - Timely, pertinent instruction directly related to your companies infrastructure and speci¬fic responsibilities of key personnel