Web and Mobile Security Assessment in Accenture

In recent times, news of cyber attacks and presence of breaches in corporate IT infrastructures are increasing. Such attacks cause considerable damage in terms of both costs and reputation, which also leads to further losses. Over time, companies have changed their defence mechanisms and created specialised internal teams. In the past, the unique task of such a team was to implement a defence system based on the analysis of traffic to and from the company’s infrastructure, detecting an attack only when it was in progress. However, today it is considered very important to use an active defense approach: through activities of Penetration Testing, it is possible to simulate the behaviour of criminals to identify the many vulnerabilities that could be exploited to carry out a cyber attack, thus being able to prevent it. This thesis reports a direct experience of the various approaches implemented within companies to ensure the security of internal data and those concerning its customers. It will give an overview of the techniques used by a pentester to break into an information system in a legal and controlled way, in order to achieve its objectives. The phases of a Penetration Testing activity and the most common techniques and tools will be analysed. Penetration Testing of Web and Mobile Applications will be covered in depth, with reference to Penetration Testing Execution Standards (PTES) and the OWASP project. For both types of test, the necessary steps and the most common vulnerabilities will be analysed and the functioning of the tools used will be illustrated. In addition, two reports of activities I actually carried out during the training in the company will be attached. As well as the Penetration Testing activities, two scripting projects that automated some of the Red Team’s activities will also be analysed. Accenture allowed me to get knowledge in the field through coaching during the various activities.