Frequently Asked Questions - FAQ

Here are questions that people ask us regularly.
Please contact us for any other questions or information.

We test all types of web applications, including Internet / intranet sites, mobile applications, SaaS software, API, etc.
By application, we mean everything that concerns the application or software layer. Therefore this does not only entail the security of mobile applications.
It is vital that your host should be secure, but, unfortunately, this is not enough to ensure your platform’s security. Flaws in your application’s code leave the way open to multiple attacks, which can cause interruptions of services, distortion and/or misuse of content, and theft of data.
Currently, it is estimated that 80% of web applications have at least one critical flaw.
All websites are targets of cyber-attacks, including those that do not host any sensitive data.
Hackers may wish to practise, to take control of your server in order to host a malevolent site, or just to have some fun. 
For example, sites created with Wordpress are among the most pirated. Some attacks are automated on a large scale to target tens of thousands of websites.
The scan software performs automatic security analyses. They detect a certain number of listed flaws. This is a first level of security.

A security audit is based on manual and semi-automated intrusion tests. Each audit is made to measure according to your technical and functional architecture. Manual intrusion tests detect flaws that cannot be seen by scanning software (for example, logic flaws). They are also used for deeper analysis by exploiting the vulnerabilities that are found, in order to evaluate their impact.
web application firewalls (WAFs) protect your applications by acting as a shield, without correcting the security flaws. They can be evaded by an experienced attacker. Intrusion tests allow you to correct flaws in the application of your site or software. 

For maximum security, you can combine these two approaches.
Internal attackers are a major threat that can have some of the most costly impacts for an organisation. They may be malevolent employees who express their discontent or a desire for recognition.

But some attackers outside the company may also use manipulation techniques to obtain connection identifiers, passwords, etc. In this case, it is important that the application’s functionalities should be sealed in order to limit the extent of damage.
Sophisticated cyber-attacks often combine hacking techniques with social engineering techniques. Social engineering consists in imposture (taking on a false identity) to retrieve information, through phishing e-mails, fraudulent phone calls, and physical intrusions into your premises.

By testing your staff’s reaction to these imposture techniques, you can put in place more effective security measures which incorporate the human factor.
We use the OWASP’s reference base, which makes recommendations concerning web security. We base ourselves on a methodology in 4 stages: recognition, mapping, discovery and operational application. Our technical experts have GWAPT certification, but, above all, they are passionately interested in technology watch and in continued learning.

Innovation is permanent in hacking, which is why we devote a major part of our time to the search for new flaws and new sophisticated attack techniques.
The only honest answer is no. It is never possible to achieve zero risk.

In addition, the security measures to be applied depend on the level of risk to which your applications are exposed. We advise you to put in place an adequate level of security by taking into account your objectives and your budget.
We present you with a complete audit report specifying what we have tested, how we tested it, what flaws we have found, and how to make use of them. Our report contains screen captures, extracts of stolen data, and scenarios for replaying the attacks.

Our aim is also to increase your technical staff’s expertise by making them aware of security through our services.
Our audit report contains technical suggestions of remedial measures. The corrections to be applied are detailed flaw by flaw, which is a result that can be used directly by developers.

However, we ourselves do not correct the code of your application.
« Hacking » is a general term for a number of various techniques that exploit hardware or human flaws and vulnerabilities in information technology. Hacking can be used for benevolent or malevolent purposes.

Beyond declarations of intention, our activity is within a legal framework. We intervene only at your request, after a contract and a test authorisation have been signed. Your host is informed of our tests, which are performed from one single IP address that is used to identify their place of origin. All our assignments are covered by our insurance, and we can choose to perform tests on an application in production or a staging platform, depending on the degree of criticality of the stakes involved on your platform.
Open web Application Security Project. A free community working on the security of web applications. It publishes the OWASP Top 10 which lists the main security flaws that are found in web applications.
Penetration Test or Intrusion test. A security evaluation method that consists in simulating malevolent attacks in order to detect the vulnerabilities of an application or a system.
An injection type attack technique that aims to interact with the web application’s database through the application’s functionalities
An attack consisting in inserting dangerous content into a target site. It can result in total modification of the site’s content or in the theft of data.
Manipulation techniques that aim to influence its contacts' behaviour in order to obtain confidential information or to carry out actions, in the context of a cyberattack.
Ethical hackers. People with expertise in information system security who act completely legally, for example, in order to conduct security audits.
Hackers acting illegally. Information system pirates.

Web Application Firewall. A protection mechanism that screens requests addressed to a web server and detects attacks. It blocks dangerous requests and can also control the replies sent back by the server.