Security Testing

Methodology

Your plug & play

cyber security suite.
ATTENTION: This document contains information from Astra IT, Inc. & Czar Securities Pvt. Ltd. that is confidential and privileged. The information is
intended for private use of the client. By accepting this document you agree to keep the contents in confidence and not copy, disclose, or distribute
this without written request to and written confirmation from Astra IT, Inc. & Czar Securities Pvt. Ltd. If you are not the intended recipient, be aware
that any disclosure, copying, or distribution of the contents of this document is prohibited.

www.getastra.com
Resilient and Reliable Security
solution for your application

27,000+
Vulnerabilities
Uncovered Every
Month

8000+
Hours Saved of
Developers &
CXOs

75%
Vulnerability Fixing
Rate

Security Testing Methodology

Table of Contents
1. Introduction
1.1 About Astra Security
1.2 Objective of Security Testing
1.3 Astra Security's VAPT Framework

2. Security Audit Scope of Work (SOW)

3. Testing Methodologies
3.1 For Websites / Web Applications
3.2 For Mobile Applications (Android)
3.3 For Mobile Applications (iOS)
3.4 For API Security
3.5 For AWS Cloud Infrastructure
3.6 For Azure Cloud Infrastructure
3.7 For Network Devices - Firewall/Routers/Printers

4. Security Testing Report & Video POCs

5. Methodology for Patching Vulnerabilities

6. Our Security Suite

7. Our VAPT Customers

8. Awards & Recognition

9. List of Top Security Issues Tested

10. Contact Cloud Security

Diagnostics
Bad Bots

Business Logic
Vulnerabilities
API Testing
Malware
Testing in Code

Vulnerabilities Network
Phishing &
SQL
in Injection
App Code VAPT
Social Hacks

2
 1. Introduction
Vulnerability Assessment & Penetration Testing that
comes without a 100 emails, 250 Google searches &
painstaking PDFs. Saves hundreds of hours of your &
developer's time.

1.1 About Astra Security

Astra Security makes cyber security super simple for online businesses. The company
offers a security suite that comprises of security audit, firewall & malware scanner.

Every solution within our suite takes under five minutes to setup & offers a 10x better
experience than their contemporaries. The suite is beautifully knit, offering a
homogenous experience that makes security delightful. Astra Security is a Techstars
backed company, awarded by President of France & PM of India for its innovation in
cyber security.

1.2 Objective of Security Testing

The security testing focuses on evaluating the security of the web, mobile, networks, API,
SaaS, blockchain & cloud applications by methodically validating & verifying the
effectiveness of security controls. The process involves an active analysis of any
application for any available weaknesses, technical flaws, or vulnerabilities.

Every vulnerability that is found will be present with an assessment of the impact, a
proposal for a technical solution using our collaborative cloud dashboard.

Vulnerability Assessment Static & Dynamic Network Devices

& Penetration Testing Code Analysis Configuration
(VAPT)

Payment Manipulation Server Infra. Business Logic

Testing Testing & DevOps Testing

Vulnerability Birds Eye View Testing per OWASP

Remidiation Assistance with VAPT Standards & Known
Dashboard CVEs

Security Testing Methodology 4

 1.3 Astra Security's VAPT Framework
Every VAPT (Vulnerability Assessment & Penetration Test) is tailored to application being tested.
Apart from the standard security tests, massive stress is put on designing security tests tailored
to your application's work flow.

Mobile Apps Blockchain

Web
(iOS/Android) Applications
Applications

Cloud Infrastructure SaaS IOT

(AWS/Azure) Applications Applications

Website Themes Network

API Testing
& Plugins Devices

Security Testing Methodology 5

2. Security Audit Scope of Work
(SOW)
Astra’s Security Testing is based on the OWASP (Open Web Application Security Project)
Testing Methodologies and the OWASP Testing Framework. During the audit we perform
over 1250+ ‘active’ tests that have been classified on the basis of type of vulnerabilities
found. Each active test is followed by hundreds of sub-tests.

A detailed security audit's scope will be a tailored approach basis on the individual
requirements such as a number applications to be audited, types of application, desired
type of security testing, our predefined number of tests for each type of application,
security assessment tools, and more.

The security audit scope of work will include:

Vulnerability Assessment and Penetration Testing (VAPT)
Static & dynamic code analysis
Technical assistance in patching found security vulnerabilities
Collaborative cloud dashboard for vulnerability reporting & management
Access to our security tools/APIs
Consultation on the best security practices for your application

Hacker style testing, powered by our

powerful vulnerability management
& collaboration dashboard.

6
 Qualified & Friendly
Security Team
The security audit is the high-level description of the many ways organizations can test and
assess their overall security posture.

Astra's team of security auditors maintain the ethical and professional approach for the testing
and assessing your organization's security posture. Our professional auditors combine the
wisdom, qualifications and skills acquired over the years doing thousands of security audits.
You get nothing but the best experience throughout the engagement.

In addition, the auditors have both technical & communication skills to uncover all vulnerabilities
on your platform and collaborate with your development team to help them patch discovered
vulnerabilities in your application/network. Our team take prides in being developer friendly.

Our security auditors have wide education backgrounds & hold industry specific certifications
(not limited to the list below):

Bachelors in Information Security from Northumbria University, Singapore

CEH - Certified Ethical Hacker
Advanced Diploma in Information Security, MDI, Singapore
Cyber Security Fundamentals from Kaspersky
Policy Compliance Certification, Qualys

Security Testing Methodology 7

 Vulnerability Management Areas

Websites / Web Blackbox Whitebox Greybox

Applications Testing Testing Testing

Mobile Apps Mobile app PDA security Network & source

(iOS/ Android) assesment assessment code testing

API API Scope & roles

API Security analysis enumeration testing

iDOR (Insecure Direct

Object Reference)

Network and perimeter

Cloud Infra. Cloud configuration assessments
(AWS/Azure) review of environment (Internal/External)

Cloud security Server and network

diagnostics penetration testing

Network Network vulnerability Reviewing network

assessment with a strengths against
Devices data review common attacks

Network devices Security assessment of

penetration testing network devices

Security Testing Methodology 8

 3. Testing Methodologies
Our security testing approach and methodology is based on industry leading practices such as
OWASP, OSSTMM, WASC, NIST etc.

3.1 For Websites/Web Applications

Phase Phase I Phase II Phase III Phase IV

Phase name Initiation Evaluation Discovery Reporting

Define scope of Perform static Perform dynamic Determine ease

testing for an code analysis of analysis & of vulnerability
application an application penetration tests exploitation
Document initial Server Payment Provide app
testing Infrastructure manipulation vulnerabilities
requirements Testing & DevOps testing details on your
Develop testing Identify the Test for known Astra VAPT
& scanning loopholes in the CVEs Dashboard
schedule business logic Technology Provide
Description Understand Do authorization specific attack technical
implemented checks for user vectors and solution or
functionalities in access (UAC) payloads recommendatio
an application Schedule manual Verify findings ns for fixes
Sampling of & automated and remove false Independent
browser-server application positives quality review
traffic flow scanning using Catalogue all the and Final
Finalize testing own tools exposed Report
deliverables List commercial vulnerabilities submissions
format and open source Collection of Provide VAPT
tools for security evidence and Certificate for
testing Video POCs security audit

Outcome Testing results are periodically updated in Astra VAPT Dashboard

For more information, visit: https://www.getastra.com/website-vapt

Hybrid of Human &

Automated
Vulnerability Testing.

Security Testing Methodology 9

 3.2 For Mobile Applications (Android)

Phase Phase I Phase II Phase III Phase IV

Phase name Initiation Evaluation Discovery Reporting

Installation of Intercept the Based on the Determine ease

apk file in proxy to analyze observations, of vulnerability
Android security the incoming & formulate test exploitation
testing devices outgoing packets cases and carry Provide app
Reconnaissance of the app out the security vulnerabilities
& threat Perform source testing for details on your
modeling code analysis Data storage Astra VAPT
All app Understand the and privacy Dashboard
components are basic business Cryptography Provide
identified and functionality of Authenticatio technical
Description known to be the app to identify n & session solution or
documented possible entry management recommendatio
Define overall and exit points of Encrypted ns for fixes
scope of testing information network Independent
Document initial Identify communicati quality review
testing application’s data ons and Final
requirements store (at rest, in Platform Report
Develop testing transit or on interaction submissions
schedule display) and Code quality Provide VAPT
Sampling of test sensitivity and build Certificate for
data settings security audit

Outcome Testing results are periodically updated in Astra VAPT Dashboard

Tools used for Android security testing: Network Proxy, MitmProxy, Quark, APKTool, Android Debug
Bridge, MobSF, ZAP & more.

For more information, visit: https://www.getastra.com/mobile-app-vapt

Security Testing Methodology 10

 3.3 For Mobile Applications (iOS)

Phase Phase I Phase II Phase III Phase IV

Phase name Initiation Evaluation Discovery Reporting

Installation of ipa Intercept the Based on the Determine ease

file in iOS proxy to analyze observations, of vulnerability
security testing the packets formulate test exploitation
devices coming in and cases and carry Provide app
Reconnaissance going out of the out the security vulnerabilities
& threat modeling app testing for details on your
All app Perform source Data storage Astra VAPT
components are code analysis and privacy Dashboard
identified and Understand the Cryptography Provide
known to be basic business Authenticatio technical
Description documented functionality of n & session solution or
Define overall the app to identify management recommendatio
scope of testing possible entry Encrypted ns for fixes
Document initial and exit points of network Independent
testing information communicati quality review
requirements Identify ons and Final Report
Develop testing application’s data Platform submissions
schedule store (at rest, in interaction Provide VAPT
Sampling of test transit or on Code quality Certificate for
data display) and and build security audit
sensitivity settings

Outcome Testing results are periodically updated in Astra VAPT Dashboard

Tools used for iOS security testing: Network Proxy, MitmProxy, Quark, MobSF, ZAP, IMAS & more.

For more information, visit: https://www.getastra.com/mobile-app-vapt

Security Testing Methodology 11

 3.4 For API Security

Phase Phase I Phase II Phase III Phase IV

Phase name Initiation Evaluation Discovery Reporting

Analyze the API Check if all the Test for following Determine ease
endpoints endpoints are vulnerabilities: of vulnerability
Checking type of protected behind Unauthorized exploitation
Authentication authentication to Access Provide
implemented: avoid broken Data leakage vulnerabilities
Basic HTTP authentication Sanctioning details on your
authentication process Fuzzy input Astra VAPT
User Input Test for API Injection Dashboard
validation Input Fuzzing Vulnerabilities Provide
checks Test for Un- Parameter technical
Description Access token handled HTTP Tampering, solution or
Cookies Methods etc. recommendatio
Document initial Analyzing API Data validation ns for fixes
testing request and testing Independent
requirements response Access quality review
Develop testing Testing permissions and final report
schedule Integration IDOR (Insecure submissions
Setup testing endpoints Direct Object Provide VAPT
environment and Reference) Certificate for
prepare testing security audit
tools

Outcome Testing results are periodically updated in Astra VAPT Dashboard

Tools used for API security testing: Burp Suite, Proxy, SQLmap, Acunetix, DirBuster, Fuzzapi,
Commix, REST API Clients & more.

API

For more information, visit: https://getastra.com/blog/knowledge-base/api-security-testing

Security Testing Methodology 12

 3.5 For AWS Cloud Infrastructure

Phase Phase I Phase II Phase III Phase IV

Phase name Initiation Evaluation Discovery Reporting

Define scope of Configuration Based on Provide details of

testing for your review of the evaluation start vulnerabilities &
AWS integration environment finding open misconfigurations
Obtain root Reviewing vulnerabilities & on your Astra
access keys Identity and security VAPT Dashboard
Network and Access loopholes Provide technical
perimeter Management Running solution or
assessments (IAM) users, vulnerability recommendations
(Internal/Extern groups and roles scanning with for fixes
al) Managing the tools such as Independent
Description Finalize testing access control CloudSploit quality review and
deliverables on the cloud Perform server final report
format EC2, SNS, RDS and network submissions
Security penetration Provide VAPT
configuration testing Certificate for
review Perform 50+ security audit
Reviewing other security tests
AWS policies for: Run cloud
S3 Bucket security
SQS queue diagnostics
KMS keys

Outcome Testing results are periodically updated in Astra VAPT Dashboard

Tools used for Cloud infrastructure testing for AWS: Prowler, CloudSploit, Cloudplaining, ScoutSuite
CloudJack, & more.

For more information, visit: https://getastra.com/blog/security-audit/aws-security-audit

Security Testing Methodology 13

 3.6 For Azure Cloud Infrastructure

Phase Phase I Phase II Phase III Phase IV

Phase name Initiation Evaluation Discovery Reporting

Define scope of Configuration Based on Provide details of

testing for your review of the evaluation start vulnerabilities &
Azure integration environment finding open misconfigurations
Obtain root Reviewing Identity vulnerabilities & on your Astra
access keys and Access security loopholes VAPT Dashboard
Network and Management Running Provide technical
perimeter (IAM) users, vulnerability solution or
assessments groups and roles scanning with recommendations
(Internal/Externa Managing the tools for fixes
l) access control on Perform server Independent
Description Finalize testing the cloud and network quality review and
deliverables Storage, VMs, SQL penetration final report
format Database, testing submissions
Keyvault, & App Perform 50+ Provide VAPT
service security tests Certificate for
environment Run cloud security security audit
Security diagnostics
configuration
review
Reviewing data
protection &
encryption

Outcome Testing results are periodically updated in Astra VAPT Dashboard

Tools used for Cloud infrastructure testing for Azure: Azucar, CloudSploit, ScoutSuite, MicroBurst,
cs-suite, & more.

Security Testing Methodology 14

 3.7 For Network Devices - Firewall/Routers/Printers

Phase Phase I Phase II Phase III Phase IV

Phase name Initiation Evaluation Discovery Reporting

Define scope of Check if all the Perform risk Provide details

testing for endpoints of Assessment to of vulnerabilities
network devices devices are identify threats, &
Develop testing protected with and analyze the misconfigured/
schedule authentication control unpatched
identify any Security policies environment to network devices
deficiencies & architecture determine what on your Astra
that put the review risks are and VAPT
customer at risk Do authorization their potential Dashboard
of a security checks for user impact. Provide
Description breach access (UAC) Vulnerability technical
Understand Network data assessment for solution or
integration of review device process, recommendatio
the device and Evaluate the application & ns for fixes
topology policies for function Independent
Sampling of remote access, Perform quality review
network traffic etc. penetration and final report
Finalize testing Reviewing testing to find submissions
deliverables network flaws in the Provide VAPT
format strengths vulnerable Certificate for
against common devices security audit
attacks

Outcome Testing results are periodically updated in Astra VAPT Dashboard

Tools used for Network devices testing: Nmap, Wireshark, Nessus, Metasploit, burp, Sublist3r &
more.

For more information, visit: https://getastra.com/blog/security-audit/it-security-audit

Security Testing Methodology 15

 4. Security Testing Report
& Video PoCs
Astra Security's proprietary vulnerability management platform is unlike anything you must
have ever seen. A birds eye view for CISOs helps ensure you're always on top of the status of
the security audit. A detailed vulnerability report with video proof of concepts, selenium scripts
& ability to collaborate with our security engineers within dashboard ensures vulnerabilities are
fixed in a record time.

Details of vulnerability
Screenshots & video PoCs
Selenium scripts for your developers to help reproduce vulnerabilities
Threat criticality with CVSS score
Business impact & consequences
Steps to re-create the issue
Tailored steps to fix the vulnerability (Patching)
Best Practices for future

Astra Security's vulnerability

management dashboard
comes with a birds eye view
for management keeping you
always on the top of security
assessment status.

Video PoCs, selenium scripts

& collaboration with security
team enables your
developers to fix the
vulnerabilities in record time.
With Astra Security, VAPT
takes 40% less time than
other solutions.

Security Testing Methodology 16

 Build trust among your
customers & partners
with a security certificate

your-business.com

A secure application calls for some bragging. After

our engineers verify you’ve fixed the uncovered
vulnerabilities, we issue a safe-to-host certificate.
This helps inspire confidence among your customers
and partners.

Security Testing Methodology 17

 5. Methodology for
patching vulnerabilities
We have a strong emphasis on security patching post the audit. It is important to close the loop
and make the application bulletproof from hackers.

We achieve this by providing:

Detailed steps for patching

Best practices while development
Round-the-clock technical assistance
Video POCs of discovered vulnerabilities and security loopholes
Re-audit to ensure the issue has been fixed

After the security vulnerabilities have been satisfactorily resolved, a full re-scan is conducted to
ensure that there are no gaps. A certificate will be then issued to confirm the same.

Additional Security Mechanisms

To ensure utmost security we believe in ‘Proactive Security’ measures where we anticipate the
infiltration techniques used by hackers and recommend additional security countermeasures.

We take security in our own hands and fortify the application:

Application specific security mechanisms

Countermeasures for known attack techniques
Framework to monitor user actions on application
Mechanisms to tackle hackers

Security Testing Methodology 18

 6. Our Security Suite

Intelligent web application firewall & malware scanner

Protects against 100+ types of attacks
Daily automatic malware scans
Community-driven
No DNS changes required
No routing of traffic through our servers
We never become a single point of failure
Protection tailored to technology stack

A Rock Solid Firewall that detects, stops & nutralizes 100+ threats
neutralizes 100+ threats including bad bots, SQLi, LFI, RFI etc. Automatic
decision making & dozens of security features like country blocking, GDPR
cookie consent, rate limiting, fake search engine bots detection & more.

Security Testing Methodology 19

 Create your own community
security (Bug Bounty) program
Your business is vulnerable. There's always a new malware or hack floating around that you
are not protected against.

With community security, ethical hackers guard your website, report vulnerabilities and earn
rewards. You allow people to report any security weaknesses they find through a dedicated
channel and strengthen your website before it's attacked—at no cost to your business.

Launch in 4 minutes
Leverage the security community
Managed by our security experts
Self serves dashboard
Reward hackers
Be known as a security conscious company

For more information, visit here: https://www.getastra.com/community-security

Security Testing Methodology 20

8. Our VAPT Customers
Trusted by The Ones You Trust

& more...

Astra carried out a security audit on our digital application

which is a solution that allows companies to manage their
whistleblower system. Due to the sensitive nature of the
information that is processed in the application, we wanted to
identify all possible security loopholes. I am very satisfied with
the result and the recommendations of the audit report. It was
an eye opener. We were able to optimize the security of the app
to meet the expectations of our customers.

- Olivier Trupiano, CEO, Signalement (a whistleblowing platform in Europe)

21
8. Awards & Recognition

Astra Security was awarded

a grant from the French
Government under their
French Tech Ticket program.
We were awarded by the
French president Mr.
François Hollande himself.

Astra Security was awarded

‘Best Cyber Security Startup’
by the PM of India Mr.
Narendra Modi at Global
Conference on Cyber
Security.

Astra Security is recognized

by NASSCOM as top 50
emerging cyber security
companies & has been
awarded with the
Emerge50 award.

22
 9. List of Top Security Issues
Tested
The following table captures the top security issues found. The list is illustrative of the
security issues tested for. During actual security audit, under head head below thousands of
tests are performed including tailored tests for your application.

Vulnerabilities Tested Exploitability Impact

Configuration and Deployment Misconfiguration Easy Moderate

Application or Framework Specific Vulnerabilities Difficult Severe

Business Logic Flaws Average High

Shopping Cart & Payment Gateway Manipulation Difficult Severe

Known Security Issues (CVEs) Average Moderate

Weak Identity Management Average High

Broken Authentication Average Severe

Improper Authorization Average Severe

Broken Session Management Average High

Weak Input Validation

Easy Moderate

Error Handling
Difficult Moderate
SQL Injection
Easy Severe
Weak or Broken Cryptography
Difficult High
Client Side Script Security
Easy Moderate
Cross-Site Request Forgery (CSRF)
Average Moderate
Cross-Site Scripting (XSS)
Average Moderate
Clickjacking
Easy Moderate
Unrestricted File Upload
Difficult Severe
Sensitive Data Exposure
Difficult Severe
Insufficient Attack Protection
Easy Moderate
Under-protected APIs
Average Moderate
HTTP Security Header Information
Average Moderate

Security Testing Methodology 23

Secure your business
from cyber threats using
Astra Security Suite.

How can we help you?

Let's talk.

[email protected] www.getastra.com

fb.com/getAstra @getastra

linkedin.com/company/getastra Schedule a Call

Making Security Simple for thousands of online businesses