Matrix inspect
Security diagnosis service by security engineers
CONCEPT
Understand vulnerabilities and
take appropriate measures
We use our ethical hacker expertise to thoroughly inspect your systems and uncover potential vulnerabilities.
We don't just discover vulnerabilities, we propose solutions from the customer's perspective so that they can easily take concrete action.
For example, the approach to risk management is different for a system that must accept a wide range of users, and a system that has a limited number of users and handles important information. Also, the implementation method of measures varies depending on the OS and middleware environment. We understand the customer's environment through interviews and diagnosis, and provide services with the best solution.
SERVICE
Service overview
Matrix Inspect is a service that performs security inspections on system resources that make up websites. Scan web pages, APIs, mobile apps (iOS/Android) and cloud resources for vulnerabilities and threats.
This service is registered with the Information Security Service Standards Examination.
Basic
This service examines and reports output from automated inspections using scanners, and is suitable for situations where you want to perform diagnosis at low cost and in a short period of time.
Business
The inspections for this service are conducted in accordance with the "Vulnerability Assessment Guidelines" established by the Japan Security Operation Providers Association and the OWASP Vulnerability Assessment Skill Map Project. Each function and operation is analyzed, and manual inspections are performed on each individual function.
Advanced
We will add this to the business plan inspection and conduct a penetration test. We will check for high-risk vulnerabilities and vulnerabilities that combine multiple vulnerabilities to pose a threat based on the results detected through vulnerability inspection.
Inspection approach
Matrix Inspect is a service that can be selected according to the inspection content and target of security inspection. The inspection contents consist of vulnerability inspection, manual inspection, and intrusion inspection.
Vulnerability assessment
We perform inspections using vulnerability scanners and tools developed by our company. Scanning is performed with a scanner for network inspection and a scanner for web inspection. The network inspection scanner scans IP addresses and domains published on the Internet to identify operating services, identify known vulnerabilities, and test whether firewall bypasses are possible. The web inspection scanner inspects web content and applications. It focuses on security configuration issues, vulnerabilities related to input/output validation that lead to injection attacks. After the scan is performed, the detected results are carefully examined to determine false positives and risks.
Manual inspection
Manual inspection detects vulnerabilities due to flaws in application logic that are difficult to detect with vulnerability scanners, and vulnerabilities related to authentication, authorization, and session management. Understand the above characteristics and carry out the inspection.
Penetration test
Vulnerability scanners, manual inspection results are comprehensively captured to check for security threats by circumventing security controls on websites and applications. For example, if there is a cross-site scripting vulnerability, use the vulnerability to steal session information, impersonate the user in the stolen session, and check whether the information can be accessed by accessing the website or application. Checks whether a certain vulnerability causes a security threat such as information leakage or falsification.
Inspection item
Vulnerability assessment involves carrying out the following inspection items depending on the application environment and functions.
Platform
Open ports, open services, known vulnerabilities, and SSL/TLS settings
Authentication
User registration, authentication avoidance, lockout function, password strength, password history control,
Password reset function, password change function, password transmission by encrypted communication, hard-coded password
Authorization
Directory traversal, privilege escalation, access to other users' areas, and allowing unnecessary HTTP methods
Session
Cookie attribute (Secure), Cookie attribute (HttpOnly), sending and receiving sessions in encrypted communication, enabling the session function,
Session fixation, guessable session IDs, cross-site request forgery,
Session timeout function, logout function
Input Validation
Reflected Cross-Site Scripting (XSS), Stored Cross-Site Scripting (XSS),
HTTP Verb Tampering, SQL Injection, Command Injection,
Local File Inclusion, Remote File Inclusion, CRLF Injection,
CSS injection, relative path overrides, server-side template injection
Client Side
Clickjacking, HTML injection
file upload
Crafting file content, Content-Type, file name, and metadata to exploit XSS, RCE (Remote Code Execution), DoS,
File overwrite attack using ZIP files, symlink file overwrite attack using ZIP files, XXE
Information leakage
Error handling, sensitive data in query strings, existence of backup files, configuration file references,
Information leakage due to cache, leakage due to improper masking of personal information, directory listing
others
Open redirection, deserialization, SSRF (Server Side Request Forgery),
Cross-site WebSocket Hijacking
SERVICE PLAN
Business
¥300,000
-
Vulnerability Assessment
Busines
¥600,000 ~
-
Vulnerability Assessment
-
Manual Inspection (10 location)
-
Optional services
Advance
¥900,000 ~
-
Vulnerability Assessment
-
Manual Inspection (10 location)
-
Penetration test
-
Optional services
Optional services
re-test
If a vulnerability is detected in the security inspection, we will re-inspect whether the vulnerability is not detected after repair. Re-inspection will be carried out by selecting the locations that you wish to re-inspect from the vulnerability locations described in the report. A fee will be charged for each location, and the re-inspection will be valid within 60 days from the date of submission of the report.
iOS App
An optional fee will be charged if the inspection target provides an iOS application.
Android App
An optional fee will be charged if the inspection target provides an Android application.
AWSアカウント検査
AWSアカウント(テナント)のセキュリティに関わる設定を検査します。CISベンチマークをベースに追加で検査項目をカスタマイズし、リスクを判定して報告いたします。詳細については「CIS(Center for Internet Security)ベンチマークで対応するAWSアカウントのセキュリティ対策」をご参照ください。
Additional manual inspection
If the number of manual inspections exceeds the number of manual inspections included in the basic fee, additional charges will be incurred from the 11th location.
Online debriefing session
An optional fee will be charged when conducting a debriefing session online remotely.
SERVICE DELIBERY
Usage process
FAQ
Will the report include instructions on how to respond if a vulnerability is detected?
The report will include details of the vulnerability and how to deal with it. We will try to provide solutions that are suited to your system environment. If you have any questions about the content, we will explain it to you by email or verbally.
Can you hold a report session?
It is possible to hold a report session remotely. This is an optional service, but please use it if you need to gather relevant parties and explain things in a meeting format.
What are the strengths of your service and how does it differentiate from other companies?
We develop cloud services specializing in web security on a public cloud infrastructure, and specialize in inspecting web services on AWS, Azure, and Google Cloud.
Are the inspection items carried out in accordance with standards etc. to ensure comprehensiveness?
We provide services with a testing menu that follows the "Vulnerability Assessment Guidelines" established by the Japan Security Operations Providers Association and the OWASP Vulnerability Assessment Skill Map Project.
What tools do you use for vulnerability assessment?
We use BurpSuite for web application layer inspection, and OpenVAS, nmap, nuecli, and our own scanner for platform inspection.