Provensec HIPAA penetration testing process evaluates the security strength and weakness of your IT landscape. The objective of the test is to identify vulnerabilities in your IT landscape and how they can be exploited to compromise the confidentiality, integrity, and availability of your information systems.
This will help an organisation to understand the efficiency and effectiveness of their control environment and improve them.
Before we start the test we agree on the Scope and rules of engagement which includes the success criteria.Once the scope and success criteria agreed, we start our test using OWASPmethodology this will touch upon the application, network and server layers of your IT infrastructure depends on the agreed scope.
Testing phase includes the testing of following layers of IT infrastructure:
Application Layer: we perform testing from the perspective of how the application can be compromised and can use as a stepping stone to exploit other corporate resources. We strongly encourage our clients to supply credentials to allow the tester to assume the role of a normal user.
This will allow the tester to determine if, at any given role, the user could escalate privileges or otherwise gain access to data they are not explicitly allowed to access. In instances where a web application utilizes a backend API and the API is in scope, we Test web and API independently.
Infrastructure Layer: Since the infrastructure layer is using standard mode of interaction we use automated tools to conduct the test and the results are verified manually. The test will verify whether the IT infrastructure has efficient and effective controls in place to protect any attack.
Reporting: Our report not only contains the gaps in your IT environments but also shows the strength of your control environment which is valuable information for any compliance audit.
Re-test: Provensec conducts free Re-test to ensure all identified findings during the testing phase is properly mitigated.