Synopsis

  • Security assessment conducted without access to code or design documentation.
  • Assessment of tools, libraries, protocols, or services not owned or controlled by client.
  • Document discovered inputs, data paths, protection schemes (authentication, authorization, failure modes).
  • Actively assess and document behavior of components under attack.
  • Provide evidence, documentation, and tools to reproduce vulnerabilities discovered as a result of testing.

Matasano's Advantage

Black Box Testing captures the scope and impact of vulnerabilities exposed to attackers with minimal information about a target system. Black Box engagements, typically shorter than full-scale security audits, offer organizations the ability to validate, prioritize, and triage the vulnerabilities that are most evident to skilled attackers.

Matasano was founded by some of the most successful Black Box testers in the field; our work includes "Insertion, Evasion, and Denial Of Service", which defeated every Intrusion Detection product shipping at the time of its release, and numerous vulnerabilities published in closed-source products. Our additional competitive advantages in black box testing include:

  • More practical experience probing and black-box testing products, per team member, than any other services organization.

  • The ability to rapidly prototype and deliver customized testing tools tailored to specific engagements.

  • Published results using binary reverse engineering of software and network protocols, using both custom and well-known tools such as IDA Pro.

  • Authorship of attack and testing code for hundreds of vulnerabilities in network protocols, web applications, database interfaces, and operating system vulnerabilities; many of these tools are components of well-known security products.

  • A practice built on deep experience and thought leadership, rather than on "off the shelf" automated scanners, public exploits, and scripted methodologies.

Typical Staffing & Delivery

  • Short-Term (2-3 week) Engagement
  • On-site or Off-site delivery
  • Dedicated full-time team of consultants
  • Daily findings and full written summary