Internal Penetration Testing is a long standing PCI requirement, the goal of which is to ensure that primary and supporting systems in the Cardholder Data Environment (CDE) are being scrutinized from the perspective of a malicious attacker. The insider threat accounts for 15% - 40% of incidents according to Verizon Data Breach Investigation Reports, whereas miscellaneous errors steadily account for over 20% of incidents in recent years. Internal testing helps to identify weak points in the encompassing security program from unpatched systems and insecure configurations to inadequate monitoring/altering and threats from insiders. SpyderSec takes the time to understand your business processes and unique system architecture so that we can offer relevant recommendations and thoughtful remediation steps that will enhance your security program.
External Penetration Testing is similar to Internal Penetration Testing with a focus on assets available on the internet such as end user applications, Application Programming Interfaces (APIs) and networking devices. Testing externally facing systems and corresponding services is exactly what attackers do on a daily basis, the main differences being the attackers have a malicious intent, keep the illicit proceeds and don't share a report detailing security shortcomings. SpyderSec studies your external perimeter, identifies vulnerabilities and provides you with the information required to make decisions that will help secure your organization and customers.
Web Application Penetration Testing is another requirement of the PCI DSS 3.2 standard and is primarily concerned with assessing web applications from a security perspective. Web Applications in the realm of PCI are often targeted by attackers due to their nature of being externally available and customized to meet the needs of the consumer. Because of this the attack surface is large and the testing required is extensive. SpyderSec takes into account the platform as a whole: From the stack, languages and modules to the functions, user input and business logic. This is done in order to understand the interactions, identify issues and provide actionable information.
Segmentation Testing is a newer addition to PCI testing that organizations which store, process and transmit cardholder data are required to adhere to. Segmentation testing is a means by which the cardholder data environment (CDE) is verified as being isolated from non-PCI assets on adjoining networks. Ensuring PCI assets are properly isolated plays a critical role in securing sensitive information; segmentation testing validates the necessary controls are in place as well as implemented properly. In some circumstances the results of segmentation testing can actually help to reduce the scope of the CDE as more efficient network architectures are identified.