THE EVOLUTION
OF PENETRATION TESTING

At Yappo Security we aim to prevent threats by ensuring compliance with international standards and best information technology practices.

We have a strong technical approach that allows us to detect weaknesses in your system before the bad guys do.

SMART REPORTING

Instead of waiting for an overpriced PDF report, your team can access all vulnerability findings in real time via a modern SaaS platform.

Our platform allows you to request re-testing of findings through a single button click, even if the penetration testing is not finished. Find clear descriptions, steps to reproduce and recommendations for each vulnerability. PDF reports are available in case you need to share them with business partners and auditors.

Real-time findings:

Do not wait for a final PDF report. Access findings once they are detected by our team.

Free re-testing:

Retest your vulnerabilities every time you need to until you make sure your fixes are properly implemented

Testing for compliance:

Our team is able to test your platform taking into account specific tests like those requested by PCI DSS, ISO 27001, SOC2 and HITRUST.

reporting-image

CLOUD BASED APPROACH

Unlike conventional penetration testing services, we leverage our own botnet to perform security tests. This enables us to expand the attack surface and discover security flaws faster while keeping highly competitive prices. This methodology is useful to bypass different kinds of IP blocking measures like brute force protection, API rate limiting based on IP or WAF based IP blacklisting.

Smart reporting:

This process occurs simultaneously with the other three. Our team documents and delivers to the client all the findings once they are detected, avoiding wasting time at the end of the analysis.

Attack nodes:

An attack node is where all our connections to the target server are generated. We utilize a group of this type of nodes to perform orchestrated attacks.

cloud image

Yappo experts:

Our penetration testers manage the botnet coordinating the analysis, creating specific tasks and assess each attack result.

Support nodes:

Support nodes were created to provide passive detection. They also help to discover many kinds of vulnerabilities. For example, some injection-based vulnerabilities can be detected using payloads that trigger an interaction with an external system when a successful injection occurs, here is when our support nodes come to play.

SECURITY TESTING SERVICES

Web Application Penetration Testing

Yappo's team of web application penetration testers assess your web platform against OWASP Top 10 and CWE/SANS Top 25 through a combination of manual and automated tests. In case your application is hosted in a cloud environment, Yappo also analyzes all related cloud services used by the platform.

Mobile Penetration Testing

Relying on the OWASP Mobile Top 10 methodology that includes the most dangerous security flaws of mobile applications, Yappo's penetration testers analyze IOS and Android apps to make sure your solution is safe on the marketplace.

security image

API Penetration Testing

A poorly secured API can open security gaps for anything that is associated with it. Let Yappo help you assess your SOAP and REST API against OWASP API Security Top 10 and by performing complex authentication, encryption,and access control test scenarios.

Network Penetration Testing

Yappo's team attempt to break into your system to assess your level of security maturity. This analysis enables you to identify security vulnerabilities that could be exploited by a remote attacker to compromise your systems. Get a hacker's eye view 
of your external environment.

CHOOSE THE BEST APPROACH FOR YOU

The amount of information we received from your team prior to an engagement influences the type of findings we will find. Pentesting style can be defined as either anonymous and authenticated testing.

icon-anonymous

Anonymous Testing

  • Unregistered user
  • Black box tests
  • Multiple scanners
  • Manual exploitation
icon-authent

Authenticated Testing

  • Authenticated users
  • Authorization tests
  • Multiple scanners
  • Privilege escalation
  • Manual exploitation

PENTESTING FOR COMPLIANCE

Our services provide PCI DSS, GDPR and HIPAA coverage for security testing.

image

GDPR Penetration Testing Requirements

‘Security Principle’ in Article 5(1)(f) in GDPR states that personal data is:
“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

image

PCI DSS Penetration Testing Requirements

• PCI DSS Requirement 6.1 can be fulfilled by establishing a process to identify security vulnerabilities in your internal and external applications, by using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as ‘high’, ‘medium’, or ‘low’) to newly discovered security vulnerabilities

• PCI DSS Requirement 11.3.1 covers the necessity to conduct external penetration testing at least once in every six months and after any significant change or upgrade of the organization’s infrastructure or application.

• PCI DSS Requirement 11.3.3 says that the vulnerabilities (loopholes) found during the pen tests must be resolved and additional testing should be performed until the vulnerabilities are dealt with properly.

image

HIPAA Penetration Testing Requirements

• Although HIPAA does not require a penetration test or a vulnerability scan, risk analysis is an integral part of HIPAA compliance process.

• HIPAA compliance requires covered entities to test their security controls on a regular basis.

OUR HISTORY AND VALUES

Yappo Security was born as an initiative of a group of professionals in the field of information security, with more than 10 years of experience in the IT world and offensive security.

Each member of our team has worked in companies of various sizes, so we understand the need and availability of each type of business.

We maintain long-term relationships with each of our clients, establishing mutual trust and becoming their main cybersecurity partner. To achieve this, we create added value to our services and seek the maximum predisposition by each of our members.