The Illumant team is continually discovering heretofore unknown vulnerabilities in systems, web applications, mobile apps, medical devices, IoT systems, etc. Our robust research practice helps keep our clients ahead of the hackers. Illumant's reports allow our clients to prioritized remediation activities.
Your applications are critical to your business
Make sure they are secure.
Application Security Assessment &
Illumant provides application security assessment services and penetration testing to test the security of these critical mobile, web, and desktop applications to provide assurance to you, your clients, your stakeholders and your investors
Application Security Assessment and Penetration Testing (AppSA)
Enumerate vulnerabilities and possible exploits, discard false positives, attempt exploitation/escalation (with and without credentials). Remediation recommendations. (Learn More)
- www — web application security assessment
- mobile — iOS and Android app security assessment
- native — desktop and server application security assessment
- device — validate the security of your IoT devices
Code Security Assessment (CodeSA)
Code review to supplement and enhance penetration testing to allow more rapid enumeration of flaws and more thorough analysis. (Learn More)
Threat Modeling (ThreatM)
Understand your application as a target, by analysis of attack surfaces and the threats that could impact them. (Learn More)
Secure Development Training (SecDev)
Your developers are busy building functionality, but are they thinking enough about and building security? Let us show you and them how insecure coding practices can lead to flaws that can be hacked, and how to write code to avoid them. (Learn More)
Cloud Platform Security Assessment (CloudSA)
Your app is secure, it should be hosted securely, as well. Analysis of your cloud infrastructure to enumerate flaws and provide recommendations to harden your cloud (AWS, Azure, Google Cloud, Docker, …). (Learn More)
SOC 2 Readiness (SOC-C)
Get ready for your SOC 2. You have secured your app and its operating environment, now demonstrate it to clients and investors. Be ready for your attestation. (Learn More)
IoT Devices, Infrastructure, and Systems (IoT)
Assess the security of your IoT systems. Includes systems disign, device security, networking, data protection, risk assessment, and policies. (Request More Information)
We're the best!
We're not just making this up. Our clients tell us that we're the best pen-testing firm they've worked with. And we have some great clients.
We take a lot of pride in our reporting. Our reports are super informative and look great – and following our recommendations improves your security.
We don't just find the vulns that everyone already knows about, we find new and undiscovered vulnerabilities as well – meaning with us you are ahead of the hackers.
ZERO-DAY: CheckPoint Zonealarm Anti-virus exploit (View Blog)(Click here to view post)
Friendly, expert hackers
we have some of the top hacking talent around, but we're not just great at hacking, our experts are great at presenting and discussing, as well. And we're always ready to offer advice and more information.
Some of best pentesters are also great secure coding and software design instructors
Credentialed and/or non-credentialed vulnerability assessment and penetration testing of web-based and intranet applications.Testing covers injection (URL, SQL, LDAP, cookie etc.), authentication, session management, cross-site scripting, object/function access control, and more
The AppSA enumerates security flaws that could expose your data, your clients, to security breaches, and provides remediation recommendations through vulnerability assessment and penetration testing of live applications – with and/or without credentials.
Application types include:
- web applications
- mobile apps
- desktop/server applications
- devices & IoT
Exploitation vectors include:
- authentication bypass
- lateral account takeover
- privilege escalation
- access to sensitive information
- pivoting/propagation to connected system
Vulnerabilities targeted: logic flaws, injection (SQL, LDAP, URL …), session hijacking, XSS, CSRF, SSRF, encryption flaws, misconfigurations, vulnerable components, forged forward and redirects, and more
Testing provides comparisons of applications against OWASP Top 10 and other relevant application security standards.
The AppSA can be coupled with the CodeSA (code review) to expand the depth of the assessment, and to enhance recommendations.
Threat Modeling (ThreatM)The ThreatM identifies and prioritizes threats to applications and systems, to focus security investigation, design and implementation<
The ThreatM identifies:
- attack surfaces
- threats to security
- potential impact
- design flaws
Applications are modeled as functional blocks, and a systematic process is used to enumerate and evaluate threats and impact.
Illumant leverages the STRIDE methodology and its variants, which look for the following threats to desired properties:
|Tampering||Integrity||Repudiation||Non-repudiability||Denial of Service||Availability||Elevation of Privilege||Authorization|
This approach provides a formal framework for embedding security in system design.
Cloud Security Assessment (CloudSA)
The CloudSA is a review of the configuration of cloud infrastructure to ensure maximal security.
In-depth, platform specific review of cloud-based application infrastructure and underlying components to assess compliance with security best-practices. In-depth, platform specific review of cloud-based application infrastructure and underlying components to assess compliance with security best-practices. Platforms include Amazon Web Service, Google Cloud Platform, Microsoft Azure, IBM BlueMix and more. This assessment looks at the security of the various components of cloud-based applications including identity and access management, virtual machines, virtual networking, virtual security appliances, data storage, databases, and virtual private clouds. Common target platforms include:
- Amazon Web Services (AWS)
- Google Cloud
Comprehensive reviews of:
- Identity and Access Management
- Virtual Private Cloud Configuration
- Virtual Machine Set-upComprehensive reviews of
- Virtual Networking and ACLs
- Virtual Firewalls
- Cloud Storage Security
- Cloud Relational Database Security
The CloudSA also targets container configuration and orchestration.
All clouds are unique.
Our Cloud Security Assessments
are tailored to your environmentInfomation Request
Code Security Assessment (CodeSA)
The CodeSA couples static code analysis and dynamic application testing to enhance the depth of analysis and improve efficiency of vulnerability identification, while preserving impact validation:
Adding code review to dynamic analysis:
- Quick and thorough review of input validation
- Identification of race conditions
- Thorough analysis of access controls
- Complete enumeration of insecure libraries
- Efficient identification of insecure deserialization
- Data Flow Analysis
- Control Flow Graph
- Taint Analysis
Secure Development Training (SecDev)
Security vulnerabilities in web applications are the result of code defects – secure development education isn’t ubiquitous yet, so most developers haven’t received it when they learned to code. Even today, for many developers, security is an afterthought at best.
Developers frequently make the same security related coding errors repeatedly, so training them to avoid of even one insecure development practice will lead to greater security throughout an application.
Illumant's Secure Development training aims to teach developers about the threats to applications, common coding mistakes, and the fundamentals of secure application development to ensure future coding is planned and executed securely.
This training also includes an online lab where developers are able to compete to exploit insecure code and identify secure coding practices. A leaderboard will help users compare their times with their peers.
Our security experts
are also great
secure development trainers.
SOC 2 Readiness (SOC-C)
Prepares a service organization to obtain SOC 2/SOC 3 reports (aka SAS 70, SSAE 16, AT 101, WebTrust, SysTrust) by identifying gaps between existing controls, attestation standards and applicable trust principles, by designing and documenting controls, and by testing controls to ensure a successful audit.
Service Organization Control (SOC) reports are a closely related family of attestation reports that provide assurance to clients and client auditors that controls are in place to ensure security, integrity and confidentiality of client data. SOC reports are a critical tool for gaining and maintaining service customers by providing assurance that security and integrity of data are well protected while processed and handled by service organizations, in particular those with software-as-a-service (SAAS) products. Illumant helps its clients select the appropriate SOC report(s) and helps them obtain independent attestation, by designing and documenting controls, policies and procedures, by collecting evidence to demonstrate the operating effectiveness of those controls, and by communicating with auditors to ensure a smooth attest engagement.
Founded in 1999, Illumant has been at the forefront of Internet and information security since its inception. Illumant was one of the first companies to offer penetration testing and security assessment services to its clients, long before security was little more than an afterthought. Illumant was among the first companies to offer security compliance services as information security standards, laws and regulations started to emerge.
Illumant's founders graduated from Stanford University with degrees in Engineering and Physics in the earliest stages of the first Internet bubble, with the aim to address the vastly underserved information security arena. Illumant crafted services to help organizations identify security weaknesses in technical infrastructure and security posture to help head off threats before potentially costly security breaches.
Utilizing an arsenal of assessment services spanning internal and external, and technical and organizational perspectives, including: