What matters the most to your business: Before conducting any scoping meeting or initiating technical engagements or tests, we prioritize getting to know our clients, their businesses, and their specific requirements.
We start by asking a fundamental question: What are your organization's most significant data that needs to be protected?
This question serves as the foundation of our approach. Rather than solely striving to "win" an assignment, we emphasize understanding our clients' unique needs and tailoring our services accordingly. By placing our clients' interests at the forefront, we can deliver targeted solutions that address their specific concerns and provide the highest value.
At OmegaSec, we adopt a structured methodology and process when engaging in a project. Throughout the course of our collaboration, we follow these key steps:
Defining the Scope: Our testing process begins by scheduling a meeting with the client to precisely establish the test's scope. In this session, we engage in thorough discussions regarding the system or application's functionality that will be subjected to testing. We address any constraints or exclusions that may be relevant to the test, while also attentively addressing specific security concerns expressed by the client. Additionally, we assess the involvement of third parties, including development, management, or hosting entities, and collaboratively determine the anticipated timeframe for the test. Furthermore, we identify and address any prerequisites that are necessary to ensure a seamless and effective testing process.
Proposal and Statement of Work (SoW) Document: Following the initial meeting, we create a detailed proposal and a Statement of Work (SoW) Document that outlines the specific test to be performed and the estimated time needed to conduct the test. The SoW acts as an official offer.
Agreement and Test Scheduling: If the client approves and signs the SoW document, we proceed to finalize the agreement and establish mutually agreed-upon dates for the test to be executed. It's important to note that no testing will take place outside of the allocated timeframe unless otherwise agreed upon.
Test Execution: At the designated start time, the test officially begins. To ensure a seamless testing process, we require that the system under test is fully operational and functional during this period. Depending on the nature of the system and client preferences, the test can be conducted either on-site or remotely. We kindly request that a designated contact person from the client's side is assigned to the project. Throughout the test duration, we maintain regular communication with the contact person, keeping them informed about the progress and sharing significant findings as they emerge.
Comprehensive Test Report: Once the test is completed, we prepare a detailed report that contains our findings. This report comprises two main sections:
Management Summary: A concise summary is provided, which outlines the scope of the test, highlights the main results, and provides a general assessment of the application's security level.
Findings and Recommendations: This section comprehensively lists all identified security issues in the application. Each finding includes a general description to provide context, an assessment of the business impact, associated risk level based on the business impact, specific details (including screenshots, code extracts, HTTP request and responses if necessary), and any additional information required to understand the problem and identify the affected component. Recommendations are also provided, whenever possible, tailored to the specific technology and platform of the application under test.
Client Feedback and Discussion: We highly value client input, and whenever feasible, we encourage clients to provide feedback on the report findings. This feedback is particularly vital in assessing the business impact of the identified issues, as clients possess a deeper understanding of what holds significance for their organization. Incorporating client feedback is also crucial in the recommendation process, as certain recommendations may be impractical in specific circumstances, but the client may offer viable alternatives.
Optional Meeting for Discussion: Should the client request it, we are more than willing to organize a meeting to thoroughly discuss the test findings with all relevant parties involved, such as the technical team, management, developers, vendors, and other stakeholders.
At OmegaSec, our commitment to transparent communication, comprehensive reporting, and collaborative discussions ensures that our clients gain a comprehensive understanding of the test results and the necessary steps to enhance their security posture.