defensics for penetration testers - Codenomicon
defensics for penetration testers - Codenomicon
defensics for penetration testers - Codenomicon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
DEFEND. THEN DEPLOY.<br />
<strong>for</strong> Penetration testing<br />
The purpose of <strong>penetration</strong> testing is to see whether it is possible to gain access into a system by trying<br />
out various attack scenarios. Penetration testing is still largely done manually: one or more security<br />
experts are called in to conduct ad-hoc tests. This is a relatively slow and resource consuming method<br />
of testing. Nevertheless, it has its purpose. Frequently, <strong>penetration</strong> testing is used to justify the need<br />
<strong>for</strong> more extensive testing.<br />
<strong>Codenomicon</strong> DEFENSICS enables you to achieve better audit efficiency by providing easy-to-use test<br />
automation tools. The <strong>Codenomicon</strong> Network Analyzer helps you focus on the correct attack vectors<br />
and the DEFENSICS fuzzers test the systems faster and more thoroughly.<br />
Benefits of proactive fuzz testing:<br />
FIND ZERO-DAY VULNERABILITIES:<br />
DEFENSICS has unparalleled ability<br />
to find unique, previously unknown<br />
vulnerabilities.<br />
REPRESENTS REAL THREATS:<br />
Fuzzing does exactly what the attackers do<br />
when finding zero-day vulnerabilities, send<br />
unexpected messages to vulnerable systems<br />
in order to find flaws.<br />
BUILDS SECURITY INTO YOUR SYSTEM:<br />
Fuzzing improves the quality of your<br />
code ensuring the security of your<br />
application.<br />
CODENOMICON Ltd.<br />
info@codenomicon.com<br />
www.codenomicon.com<br />
Tutkijantie 4E<br />
FIN-90590 OULU<br />
FINLAND<br />
+358 424 7431<br />
10670 North Tantau Avenue<br />
Cupertino, CA 95014<br />
UNITED STATES<br />
+1 408 252 4000<br />
25/F., Queen’s Road Centre<br />
152 Queen’s Road Central<br />
HONG KONG<br />
+852 3426 22900<br />
FUZZING: PREEMPTIVE SECURITY AND ROBUSTNESS TESTING SOLUTIONS
FOR PENETRATION TESTING<br />
Why use DEFENSICS in Penetration testing?<br />
DEFENSICS is especially designed <strong>for</strong> <strong>penetration</strong> <strong>testers</strong>.<br />
It contains general purpose XML and Traffic capture fuzzers,<br />
enabling you to test both protocol and application level<br />
implementations, and model-based fuzzers <strong>for</strong> other frequently<br />
used protocols like HTTP, SSL/TLS and FTP, providing you with<br />
all the tools you need to per<strong>for</strong>m more thorough <strong>penetration</strong><br />
testing quickly and easily.<br />
» AUTOMATED PENETRATION TESTING:<br />
<strong>Codenomicon</strong> DEFENSICS tools are fully automated software based<br />
solutions that are easy to integrate to your own security auditing<br />
processes. The resulting tests are faster and more comprehensive.<br />
» BUILT- IN INTELLIGENCE:<br />
Penetration testing requires substantial knowledge of protocols<br />
and systems from the <strong>testers</strong>, whereas in Fuzzing the expertise can<br />
be built into the tools. Relatively inexperienced <strong>testers</strong> can per<strong>for</strong>m<br />
the fuzz tests, making it easier to build up the <strong>penetration</strong> test<br />
team. <strong>Codenomicon</strong>’s model-based fuzzers:<br />
• COVER the entire protocol, and document every tested feature<br />
and resulted test case.<br />
• TARGET protocol areas most susceptible to vulnerabilities to<br />
shorten test run times.<br />
• IDENTIFY vulnerabilities in deeper protocol layers.<br />
• GENUINELY INTEROPERATE with systems under test (SUT).<br />
• DO NOT REQUIRE TEST TOOL CREATION OR<br />
MAINTENANCE EFFORT<br />
» TEST ANY PROTOCOL:<br />
The <strong>Codenomicon</strong> Traffic Capture Fuzzer can be used to test all IPbased<br />
traffic. The tests are generated from captured messages, thus<br />
no protocol specifications are needed to create the tests. It is the<br />
only tool available <strong>for</strong> testing proprietary protocols and protocol<br />
extensions. It can also be used to test systems in the very early<br />
stages of development.<br />
» TEST ANY LAYER:<br />
Tests should cover all layers of protocols in all infrastructure<br />
components, including browsers, load balancers, firewalls and<br />
application servers. DEFENSICS has ready-made off-the-shelf<br />
test suites <strong>for</strong> testing all communication layers, from IPv4 and IPv6<br />
to application protocols like HTTP and SIP. Both client and server<br />
implementations can be tested.<br />
» TEST XML APPLICATIONS THOROUGHLY:<br />
XML is widely used, but its complexity not only makes it prone<br />
vulnerabilities, but also hard to test. <strong>Codenomicon</strong>’s intelligent<br />
stateful fuzzers can genuinely interact with the tested system<br />
and test each layer individually, thus they achieve unparalleled<br />
efficiency in finding vulnerabilities.<br />
» FAST TEST RUNS:<br />
The <strong>Codenomicon</strong> Penetration Test Suite package enables you to<br />
test faster and more effectively by:<br />
• EXECUTING MULTIPLE TESTS simultaneously<br />
• TARGETING TESTS using MODEL-BASED FUZZERS<br />
and the NETWORK ANALYZER<br />
Example Penetration Test Process:<br />
MAP THE ATTACK SURFACE<br />
Using the <strong>Codenomicon</strong> Network Analyzer to<br />
map real network traffic and to determine what<br />
needs to be tested. Test external communications,<br />
and client-side threats in the system.<br />
PERFORM SYSTEMATIC TESTING<br />
DEFENSICS supports 150+ industry standard<br />
protocols with ready-made model-based fuzzers.<br />
The general purpose Traffic Capture Fuzzer and<br />
XML Fuzzer will enable you to test any protocol<br />
and XML-application.<br />
REPRODUCE AND REPORT<br />
All vulnerabilities found using DEFENSICS<br />
can be easily reproduced, and the tools will<br />
automatically generate both technical and<br />
management documentation <strong>for</strong> all tests<br />
and the entire test plan.<br />
CODENOMICON Ltd. | info@codenomicon.com | www.codenomicon.com