COMPANY

PROFILE

www.secureroot.co.in
 ABOUT US
Secure Root Risk Advisory LLP is a Global Cyber Security Service provider
that offers various security services, consulting and solutions. We offer
services like Vulnerability assessments, Penetration testing, Security
Compliance, Risk advisory, Red team operations, Secure code review,
Cloud security and secure software development and security awareness
programs. Our goal is to assure organization's that they are safe in a world
of security breaches, with assistance from our skilled group of security
professionals. Our approach gives you a full picture of your organizational
and associated IT risks with recommended solutions which provides best
in class Enterprise level information security management

www.secureroot.co.in 2
 OUR SERVICES
• Governance Risk and Compliances
• Vulnerability Assessment and Penetration
Testing (VAPT)
• Secure Code Review
• Red Team Assessment

www.secureroot.co.in 3
GOVERNANCE RISK AND COMPLIANCES
SOC (System and Organization Controls) 2 Audit
A SOC 2 audit report provides detailed information and assurance about a service organization's security, availability,
processing integrity, confidentiality and/or privacy controls, based on their compliance with the AICPA’s (American Institute of
Certified Public Accountants) TSC (Trust Services Criteria).

SOC 2 type 2 audits are essential in regulatory oversight, vendor management programs, internal governance and risk
management.

ISO 27001: the International Information Security Standard

ISO/IEC 27001:2013 (also known as ISO27001) is the international standard for information security. It sets out the specification for
an information security management system (ISMS).
The information security management system standard’s best-practice approach helps organization's manage their information
security by addressing people, processes and technology.
Certification to the ISO 27001 Standard is recognized worldwide as an indication that your ISMS is aligned with information security
best practices.
 GOVERNANCE RISK AND COMPLIANCES
PCI DSS (Payment Card Industry Data Security Standard)

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to
reduce payment card fraud by increasing security controls around cardholder data.

The Standard results from a collaboration between the major payment brands (American Express,
Discover, JCB, Mastercard and Visa), and is administered by the PCI SSC (Payment Card Industry Security
Standards Council).

The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data
protection. Companies that deal with protected health information (PHI) must have physical, network, and
process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone
providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to
patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance.
Other entities, such as subcontractors and any other related business associates must also be in compliance.

www.secureroot.co.in 5
 SECURING TECHNOLOGY SERVICES
Under our VAPT service, we test the complete IT infrastructure (Mobile/Web App, Servers, Networks,
Desktops/Laptops, APIs, CRM/ERP) of an organization. We recommend solutions against all the
vulnerabilities and do re-testing after the organization's engineering team patches all those
vulnerabilities.
Vulnerability Assessment and Penetration Testing (VAPT) are the combination of two different security
services that include in VA (Vulnerability Assessment) and PT (Penetration Testing) service. VAPT
services are generally used for the threat analysis, security inspection, forensic analysis, security
correction, recommendation, security monitoring and penetration testing. VAPT assessments
generally offered by the Digital group, which typically focuses on relating pitfalls involved in the
Structure of the company OR maintained by any enterprises, also the significance of these VAPT
services has also anatomized by the Digital Group only. The Digital Group offered the penetration test,
which is a practical testing typically do to dissect the security of all the IT systems and important
database of the association.

www.secureroot.co.in 6
 TYPES OF VAPT SERVICES OFFERED

www.secureroot.co.in 7
 VAPT METHODOLOGY

VAPT Engagement Cycle

www.secureroot.co.in 8
 VAPT APPROACH

www.secureroot.co.in 9
 VAPT REPORTING APPROACH

www.secureroot.co.in 10
 LIST OF VAPT TOOLS
MOBILE APPS WEB APPLICATION NETWORK INFRASTRUCTURE AND WIRELESS

• MobSF • Accunitix • Nmap

• APK Tool • Netsparker • Nessus

• OWASP Zap
• Dex2jar • Qualys Guard
• Nikto
• JD2Gui • DNS Recon
• SQLMap
• Burp Suite • Metasploit Framework
• OpenVAS
• Frida • Aircrack-ng
• Burp Suite
• ReFlutter • SSL Scan • Kismet

• Xposed Framework • DIRB • Wireshark

• Drozer • Fiddler • Hydra

• BeeF • Exploit DB

www.secureroot.co.in 11
 LIST OF VAPT TOOLS
THICK CLIENT/ DESKTOP APPLICATIONS
API SECURITY SECURE CODE ANALYSIS/ REVIEW
SECURITY TESTING
• SoapUI • Burp Suite • CxSAST

• Postman • Eco Mirage • Fortify

• Burp Suite • Process hacker • HCL Appscan

• Fiddler • CFF Explorer • Kiuwan

• Wireshark • MobSF

• TCP Dump • OWASP ASST

• Procmon

• Process Monitor

• Process Explorer

• dnSpy

• JetBrains Dotpreek

• DLLSpy

www.secureroot.co.in 12
 LIST OF VAPT TOOLS
DOCKER/ CONTAINER SECURITY TESTING CONFIGURATION AUDITING

• Docker Bench for Security • CloudSploit Scan

• Clair • Kube-Bench

• Dockle • Nipper

• OpenSCAP Workbench • Nessus

• DokScan • CCAT Tool

• Lynis

www.secureroot.co.in 13
 OUR TESTING APPROACH
We offer an optimum combination of 70% manual and 30%
automated testing. Under automated testing, we follow
OWASPIO and SANS25 standards, wherein we check for 180
standard test cases. Under manual testing, we check for 30-40
customized test cases along with using homegrown scripts that
are customized based on the business logic and data flow within
the scope of work.

www.secureroot.co.in 14
 SECURE CODE REVIEW
A secure code review is a specialized task involving manual and/or automated review of an
application's source code in an attempt to identify security-related weaknesses (flaws) in the code. A
secure code review does not attempt to identify every issue in the code, but instead looks to provide
insight into what types of problems exist and to help the developers of the application understand
what classes of issues are present. The goal is to arm the developers with information to help them
make the application's source code more sound and secure.

www.secureroot.co.in 15
 OUR SECURE CODE REVIEW
METHODOLOGY

www.secureroot.co.in 16
 RED TEAM ASSESSMENT
A red team assessment is a goal-based adversarial activity that requires a big-picture, holistic view of the
organization from the perspective of an adversary. This assessment process is designed to meet the needs of
complex organizations handling a variety of sensitive assets through technical, physical, or process-based means.
The purpose of conducting a red teaming assessment is to demonstrate how real world attackers can combine
seemingly unrelated exploits to achieve their goal. It is an effective way to show that even the most sophisticated
firewall in the world means very little if an attacker can walk out of the data center with an unencrypted hard drive.
Instead of relying on a single network appliance to secure sensitive data, it’s better to take a defense in depth
approach and continuously improve your people, process, and technology.

www.secureroot.co.in 17
 RED TEAM ASSESSMENT METHODOLOGY

www.secureroot.co.in 18
 THANK YOU
FOR YOUR ATTENTION

Get In Touch With US

For Sales: sales@secureroot.co.in

Contact US: +91-8429093988, +91-7843815553
www.secureroot.co.in Secure Root Risk Advisory LLP
19