defensics for penetration testers - Codenomicon

DEFEND. THEN DEPLOY.
for Penetration testing
The purpose of penetration testing is to see whether it is possible to gain access into a system by trying
out various attack scenarios. Penetration testing is still largely done manually: one or more security
experts are called in to conduct ad-hoc tests. This is a relatively slow and resource consuming method
of testing. Nevertheless, it has its purpose. Frequently, penetration testing is used to justify the need
for more extensive testing.
Codenomicon DEFENSICS enables you to achieve better audit efficiency by providing easy-to-use test
automation tools. The Codenomicon Network Analyzer helps you focus on the correct attack vectors
and the DEFENSICS fuzzers test the systems faster and more thoroughly.
Benefits of proactive fuzz testing:
FIND ZERO-DAY VULNERABILITIES:
DEFENSICS has unparalleled ability
to find unique, previously unknown
vulnerabilities.
REPRESENTS REAL THREATS:
Fuzzing does exactly what the attackers do
when finding zero-day vulnerabilities, send
unexpected messages to vulnerable systems
in order to find flaws.
BUILDS SECURITY INTO YOUR SYSTEM:
Fuzzing improves the quality of your
code ensuring the security of your
application.
CODENOMICON Ltd.
info@codenomicon.com
www.codenomicon.com
Tutkijantie 4E
FIN-90590 OULU
FINLAND
+358 424 7431
10670 North Tantau Avenue
Cupertino, CA 95014
UNITED STATES
+1 408 252 4000
25/F., Queen’s Road Centre
152 Queen’s Road Central
HONG KONG
+852 3426 22900
FUZZING: PREEMPTIVE SECURITY AND ROBUSTNESS TESTING SOLUTIONS

FOR PENETRATION TESTING
Why use DEFENSICS in Penetration testing?
DEFENSICS is especially designed for penetration testers.
It contains general purpose XML and Traffic capture fuzzers,
enabling you to test both protocol and application level
implementations, and model-based fuzzers for other frequently
used protocols like HTTP, SSL/TLS and FTP, providing you with
all the tools you need to perform more thorough penetration
testing quickly and easily.
» AUTOMATED PENETRATION TESTING:
Codenomicon DEFENSICS tools are fully automated software based
solutions that are easy to integrate to your own security auditing
processes. The resulting tests are faster and more comprehensive.
» BUILT- IN INTELLIGENCE:
Penetration testing requires substantial knowledge of protocols
and systems from the testers, whereas in Fuzzing the expertise can
be built into the tools. Relatively inexperienced testers can perform
the fuzz tests, making it easier to build up the penetration test
team. Codenomicon’s model-based fuzzers:
• COVER the entire protocol, and document every tested feature
and resulted test case.
• TARGET protocol areas most susceptible to vulnerabilities to
shorten test run times.
• IDENTIFY vulnerabilities in deeper protocol layers.
• GENUINELY INTEROPERATE with systems under test (SUT).
• DO NOT REQUIRE TEST TOOL CREATION OR
MAINTENANCE EFFORT
» TEST ANY PROTOCOL:
The Codenomicon Traffic Capture Fuzzer can be used to test all IPbased
traffic. The tests are generated from captured messages, thus
no protocol specifications are needed to create the tests. It is the
only tool available for testing proprietary protocols and protocol
extensions. It can also be used to test systems in the very early
stages of development.
» TEST ANY LAYER:
Tests should cover all layers of protocols in all infrastructure
components, including browsers, load balancers, firewalls and
application servers. DEFENSICS has ready-made off-the-shelf
test suites for testing all communication layers, from IPv4 and IPv6
to application protocols like HTTP and SIP. Both client and server
implementations can be tested.
» TEST XML APPLICATIONS THOROUGHLY:
XML is widely used, but its complexity not only makes it prone
vulnerabilities, but also hard to test. Codenomicon’s intelligent
stateful fuzzers can genuinely interact with the tested system
and test each layer individually, thus they achieve unparalleled
efficiency in finding vulnerabilities.
» FAST TEST RUNS:
The Codenomicon Penetration Test Suite package enables you to
test faster and more effectively by:
• EXECUTING MULTIPLE TESTS simultaneously
• TARGETING TESTS using MODEL-BASED FUZZERS
and the NETWORK ANALYZER
Example Penetration Test Process:
MAP THE ATTACK SURFACE
Using the Codenomicon Network Analyzer to
map real network traffic and to determine what
needs to be tested. Test external communications,
and client-side threats in the system.
PERFORM SYSTEMATIC TESTING
DEFENSICS supports 150+ industry standard
protocols with ready-made model-based fuzzers.
The general purpose Traffic Capture Fuzzer and
XML Fuzzer will enable you to test any protocol
and XML-application.
REPRODUCE AND REPORT
All vulnerabilities found using DEFENSICS
can be easily reproduced, and the tools will
automatically generate both technical and
management documentation for all tests
and the entire test plan.
CODENOMICON Ltd. | info@codenomicon.com | www.codenomicon.com