1. Introduction
1.1. Background
This security audit is a requested service authorized by the client. The service is
mainly about application penetration testing which helps to find the vulnerabilities
and threats of the target. All the penetration testing items are done by simulating the
real world malicious attacks against the target, which mimics human hackers’
activities by manual penetration testing with automated tools. The goal and
responsibilities of this security audit are listed as follows:
• Identify the vulnerabilities which could be exploited remotely by attackers, leading
to financial damage to the client.
• Triage the vulnerabilities in the terms of (but not limited to) the impact to the
client’s business logic, private data leakage, the availability of client’s services, etc.
• Provide the corresponding solution to fix the problem with support services.
In the process of the security audit, we collect information, perform testing attacks,
build threat models, and identify/triage/analyze/exploit vulnerabilities as attackers.
The whole process is based on OWASP TOP 10 and other standards defined by
national institutes, which is controllable and tunable.
1.2. Purpose
The purpose of the security audit is to rate the security level of the target, report the
vulnerabilities identified in the target, and improve the target in terms of stability and
reliability by providing solutions to fix the vulnerabilities.
1.3. References
➢ GB/T 18336-2008: IT security technology information technology security
evaluation criteria
➢ GB 17859-1999: Classified criteria for security protection of computer
