Cybersecurity audits

Audits and penetration testing are XMCO’s core business. Auditors are PASSI qualified by ANSSI

Identify all security vulnerabilities

Our auditors adopt the posture of an attacker to identify all security flaws in the configurations and management of Information System components.

XMCO develops its own intrusion tools and masters the software used

Thanks to its recognized experience in intrusion tests and intrusion response, XMCO guarantees pragmatic audits, of which the “risk of intrusion” remains the common thread.
The audits take place in 4 major phases:

  • 1

    An audit protocol with control points is defined

  • 2

    Interviews (technical and/or organizational) are conducted by a senior consultant

  • 3

    The configurations are analyzed with the collaboration of your teams

  • 4

    Finally, the audit can be supplemented by intrusion tests in order to obtain a transversal vision of the level of security

Code review

The purpose of code auditing is to verify the security of an application’s code.

  • The technical aspect

    Are good development practices and application security elements respected?

  • Are the features correctly implemented?

    This approach makes it possible to detect a large number of vulnerabilities at source.

  • Methodology

    It is carried out in an automated and manual way, in order to result in corrective actions and an action plan. It can be carried out before an application is put into production or on an ad hoc basis. Ideally, code audits respond to a preventive approach to code quality, with lighter but regular audits throughout the lifecycle of the application.

Configuration audit

  • Objective

    A configuration audit aims to verify the configuration of a technical element in relation to security risks.

  • Methodology

    There are two ways to conduct a configuration audit:
    • Cold on your configuration listings
    • Hot on your running equipment

Architecture Audit

  • Objective

    An architecture audit aims to control the consistency and functional compliance of an information system with respect to security threats.

  • Methodology

    Ideally carried out during the design phase of a project, the audit covers all the bricks that make up the architecture of an information system: the system, the network, the database, the application, and Development.

Organizational and physical audit

  • Objective

    This involves auditing the organization, processes and controls that govern security management and verifying the compliance of physical security mechanisms.

  • Methodology

    We are committed to understanding and measuring the level of maturity and compliance of the security processes in place: those already compliant with the standard, those requiring compliance and those to be put in place.

Penetration testing

  • Objective

    Penetration testing measures the risk associated with an information system by simulating realistic attack conditions. It identifies vulnerabilities that can be exploited and lead to the compromise of an information system via your internal networks or the Internet.

  • Global methodology

    The listener temporarily adopts the posture of a real attacker and strives to reproduce the approach and techniques of a real malicious individual. Penetration tests can be carried out

  • Internal intrusion test methodology

    This consists of placing the listener directly on the target network. Connected like an employee to the corporate network, the listener attacks your computer resources.

  • Extrenal intrusion test methodology

    This consists of placing the listener outside the network. It therefore targets services exposed on the Internet, whether they are hosted by you or by a service provider.