iSecurity has many years of experience conducting network infrastructure, computing layer and application layer vulnerability assessment and penetration testing. Over the past 6 months we have conducted 7 technical vulnerability assessments and penetration testing in health care settings including infrastructure, database, networks, web and mobile application (Mobile Asthma application).

Our Technical Vulnerability Assessment (TVA) and Penetration Testing methodologies are based on aspects of the Open Source Security Testing Methodology Manual (OSSTMM) and Open Web Application Security Project (OWASP) frameworks. Approaches can include “black box” and “white box” external vulnerability assessments, internal infrastructure and network vulnerability assessments and application vulnerability assessment

We leverage both commercial and open source network and application scanning tools and commonly known hacking techniques in an attempt to identify security vulnerabilities against the target environments and applications.


This type of testing is aimed at identifying vulnerabilities at network and base operating system level and will be performed from the following perspectives:

  • External attacker. Someone attempting to perform malicious activities from an external connection (e.g. the Internet).
  • Internal attacker. Someone having compromised external boundaries (either by hacking into the internal / DMZ environment or by having physically gained access to the premises) and attempting to perform malicious activities from within.

Network level assessments are performed using the following high level methodology:

Figure: Infrastructure / Network Level Assessment Approach The methodology applied to network level assessments is similar to the widely accepted OSSTMM (Open Source Security Testing Methodology Manual). There are multiple checks under each of the category mentioned above.


Penetration Testing of Applications is a hybrid security test that aims to uncover security vulnerabilities at the application layer. Popular types of vulnerabilities discovered include SQL injection, XSS and CSRF vulnerabilities. This type of test has a high manual component, approximately 70%, and the testers build custom threat profiles to discover contextual security vulnerabilities that are specific to the application.

Application level assessments are categorized into two distinct classes:

  • Web application assessments. Those that are presented through a browser by a web server. Our methodology for assessing web applications is closely aligned to industry accepted OWASP (Open Web Application Security Project).
  • Thick client server applications. Those that present some sort of application through installation or execution.

Both types of assessments will follow the following high level methodology:

Figure: Application Level Assessment Approach

Application assessments are commonly performed from the perspective of one or more of the following scenarios:

  • No knowledge. Commonly referred to as black box testing, this simulates an attacker without any knowledge of the application or its associated environment.
  • Some knowledge. Commonly referred to as grey box testing, here we simulate an attacker with some knowledge (perhaps an application user, and / or someone with knowledge about how the application works).
  • Full knowledge. Using a white box testing approach, this simulates an attacker with full knowledge about the application, associated environment, and with access to the source code (perhaps a disgruntled application developer).