top of page

Matrix inspect

Security diagnosis service by security engineers

CONCEPT

Understand vulnerabilities and
take appropriate measures

We use our ethical hacker expertise to thoroughly inspect your systems and uncover potential vulnerabilities.

We don't just discover vulnerabilities, we propose solutions from the customer's perspective so that they can easily take concrete action.
For example, the approach to risk management is different for a system that must accept a wide range of users, and a system that has a limited number of users and handles important information. Also, the implementation method of measures varies depending on the OS and middleware environment. We understand the customer's environment through interviews and diagnosis, and provide services with the best solution.

SERVICE

Service overview

Matrix Inspect is a service that performs security inspections on system resources that make up websites. Scan web pages, APIs, mobile apps (iOS/Android) and cloud resources for vulnerabilities and threats.

sss_matrix_inspect.png

This service is registered with the Information Security Service Standards Examination.

Basic

This service examines and reports output from automated inspections using scanners, and is suitable for situations where you want to perform diagnosis at low cost and in a short period of time.

Business

The inspections for this service are conducted in accordance with the "Vulnerability Assessment Guidelines" established by the Japan Security Operation Providers Association and the OWASP Vulnerability Assessment Skill Map Project. Each function and operation is analyzed, and manual inspections are performed on each individual function.

Advanced

We will add this to the business plan inspection and conduct a penetration test. We will check for high-risk vulnerabilities and vulnerabilities that combine multiple vulnerabilities to pose a threat based on the results detected through vulnerability inspection.

Inspection approach

Matrix Inspect is a service that can be selected according to the inspection content and target of security inspection. The inspection contents consist of vulnerability inspection, manual inspection, and intrusion inspection.

Vulnerability assessment

 We perform inspections using vulnerability scanners and tools developed by our company. Scanning is performed with a scanner for network inspection and a scanner for web inspection. The network inspection scanner scans IP addresses and domains published on the Internet to identify operating services, identify known vulnerabilities, and test whether firewall bypasses are possible. The web inspection scanner inspects web content and applications. It focuses on security configuration issues, vulnerabilities related to input/output validation that lead to injection attacks. After the scan is performed, the detected results are carefully examined to determine false positives and risks.

Manual inspection

Manual inspection detects vulnerabilities due to flaws in application logic that are difficult to detect with vulnerability scanners, and vulnerabilities related to authentication, authorization, and session management. Understand the above characteristics and carry out the inspection.

Penetration test

Vulnerability scanners, manual inspection results are comprehensively captured to check for security threats by circumventing security controls on websites and applications. For example, if there is a cross-site scripting vulnerability, use the vulnerability to steal session information, impersonate the user in the stolen session, and check whether the information can be accessed by accessing the website or application. Checks whether a certain vulnerability causes a security threat such as information leakage or falsification.

Inspection item

Vulnerability assessment involves carrying out the following inspection items depending on the application environment and functions.

Platform

Open ports, open services, known vulnerabilities, and SSL/TLS settings

Authentication

User registration, authentication avoidance, lockout function, password strength, password history control,

Password reset function, password change function, password transmission by encrypted communication, hard-coded password

Authorization

Directory traversal, privilege escalation, access to other users' areas, and allowing unnecessary HTTP methods

Session

Cookie attribute (Secure), Cookie attribute (HttpOnly), sending and receiving sessions in encrypted communication, enabling the session function,

Session fixation, guessable session IDs, cross-site request forgery,

Session timeout function, logout function

Input Validation

Reflected Cross-Site Scripting (XSS), Stored Cross-Site Scripting (XSS),

HTTP Verb Tampering, SQL Injection, Command Injection,

Local File Inclusion, Remote File Inclusion, CRLF Injection,

CSS injection, relative path overrides, server-side template injection

Client Side

Clickjacking, HTML injection

file upload

Crafting file content, Content-Type, file name, and metadata to exploit XSS, RCE (Remote Code Execution), DoS,

File overwrite attack using ZIP files, symlink file overwrite attack using ZIP files, XXE

Information leakage

Error handling, sensitive data in query strings, existence of backup files, configuration file references,

Information leakage due to cache, leakage due to improper masking of personal information, directory listing

others

Open redirection, deserialization, SSRF (Server Side Request Forgery),

Cross-site WebSocket Hijacking

SERVICE PLAN

Business

¥300,000
  • Vulnerability Assessment

Busines

¥600,000 ~
  • Vulnerability Assessment

  • Manual Inspection (10 location)

  • Optional services​

Advance

¥900,000 ~
  • Vulnerability Assessment

  • Manual Inspection (10 location

  • Penetration test

  • Optional services

Optional services

re-test

If a vulnerability is detected in the security inspection, we will re-inspect whether the vulnerability is not detected after repair. Re-inspection will be carried out by selecting the locations that you wish to re-inspect from the vulnerability locations described in the report. A fee will be charged for each location, and the re-inspection will be valid within 60 days from the date of submission of the report.

iOS App

An optional fee will be charged if the inspection target provides an iOS application.

Android App

An optional fee will be charged if the inspection target provides an Android application.

AWSアカウント検査

​AWSアカウント(テナント)のセキュリティに関わる設定を検査します。CISベンチマークをベースに追加で検査項目をカスタマイズし、リスクを判定して報告いたします。詳細については「CIS(Center for Internet Security)ベンチマークで対応するAWSアカウントのセキュリティ対策」をご参照ください。

Additional manual inspection

If the number of manual inspections exceeds the number of manual inspections included in the basic fee, additional charges will be incurred from the 11th location.

Online debriefing session

An optional fee will be charged when conducting a debriefing session online remotely.

SERVICE DELIBERY

Usage process

FAQ

Will the report include instructions on how to respond if a vulnerability is detected?

The report will include details of the vulnerability and how to deal with it. We will try to provide solutions that are suited to your system environment. If you have any questions about the content, we will explain it to you by email or verbally.

Can you hold a report session?

It is possible to hold a report session remotely. This is an optional service, but please use it if you need to gather relevant parties and explain things in a meeting format.

What are the strengths of your service and how does it differentiate from other companies?

We develop cloud services specializing in web security on a public cloud infrastructure, and specialize in inspecting web services on AWS, Azure, and Google Cloud.

Are the inspection items carried out in accordance with standards etc. to ensure comprehensiveness?

We provide services with a testing menu that follows the "Vulnerability Assessment Guidelines" established by the Japan Security Operations Providers Association and the OWASP Vulnerability Assessment Skill Map Project.

What tools do you use for vulnerability assessment?

We use BurpSuite for web application layer inspection, and OpenVAS, nmap, nuecli, and our own scanner for platform inspection.

bottom of page