Products

• Products

• Products Overview

• CORE INSIGHT Enterprise
  Security Testing Solution
  • Overview
  • How It Works
  • Dashboards
  • Demos
  • Data Sheets and White Papers
  • Comparing CORE INSIGHT to CORE IMPACT
  • How to Buy

• CORE IMPACT Pro
  Penetration Testing Software
  • Overview
  • What It Tests
    • End Users
    • Endpoint Systems
    • Mobile Devices
    • Network Devices
    • Network Systems
    • Web Applications
    • Wireless Networks
    • IPS/IDS, Firewalls and Other Defenses
    • Vulnerabilities Identified by Scanners
  • How It Works
  • Features and Benefits
    • Overview
    • Exploits You Can Trust
    • How Our Exploits Work
    • About Our Client-Side Exploits
    • About Our Agents
  • Vulnerability Scanner Integration
  • Reporting
  • What's New
  • Security Updates
  • Demos
    • Impact
  • Data Sheets, White Papers and Other Resources
  • Intro To Penetration Testing
    • What Is Penetration Testing?
    • Comparing Security Testing Options
    • What To Look For
    • Independent Penetration Testing Resources
    • Conducting Penetration Tests
  • Comparing CORE IMPACT to CORE INSIGHT
  • Training, Certification and Support
  • How to Buy

• Core WebVerify Web
  Application Security Testing Software
  • Overview
  • Web Application Vulnerability Coverage
  • WebVerify vs. Scanners
  • Reveal Implications of Application Vulnerabilities

• Core CloudInspect Cloud Security Testing for AWS

• Demos and Evaluations

• The Research Behind Our Products

• Why Our Products are Safe

• How to Buy

Core’s Pledge: Safe and Controlled Security Testing

A significant concern for any company engaging in proactive security testing is that the work itself does not have a negative effect on any systems or processes, or take critical operations offline, in the process of emulating threats to see if IT and network assets are properly protected.

This is one of the best reasons to choose our family of products to carry out your security analyses -- because we have spent considerable time and effort, and continue to do so every day, to ensure that our customers won’t create any unexpected problems as a result of their testing projects.

Rigorous quality assurance

Our extensive library of exploits is continuously run through rigorous QA testing, using an effective combination of automated testing processes and close personal inspection. Our testing team works hard to reduce the chances that our exploits will have unpredicted or ancillary effects on tested systems or processes.
 
While the automation of testing for existing exploits is relatively easy, extensive testing of new, “work-in-progress” exploits is significantly harder and can only be done by hand. Our testing team exhaustively assesses the new exploits in a range of environments to eliminate or reduce the circumstances when those exploits could cause issues in the target environment.

Keeping code off of tested systems

The integrity of a system can be thought of as its ability to operate in an unimpaired condition.   Core’s exploits are written and tested to a commercial-grade standard, and our agents are designed with the same care. Core Security seeks to not disrupt the integrity of a system, when deploying agents. Our solutions can deploy memory-resident agents, file-based agents, and persistent agents. Memory-resident agents are run in RAM, and they are automatically removed under a number of circumstances. These include events such as: a user issues a cleanup command, a user loses connection to the agent, the compromised service or machine is restarted.  File-based agents or Persistent agents can be copied to a target’s file system and can be removed using our solutions’ Clean-Up capabilities or by hand.

In the rare cases where the agent is maintained on a device after a test is completed, it is automatically erased from the system’s memory the next time the tested machine is rebooted (if it was memory resident). For file and persistent agents that were not cleaned up, it is not possible for anyone one else to communicate with that agent due to the authentication that is performed between the IMPACT workspace and agents it has deployed. However, it possible for CORE IMPACT to reconnect to that exploit and “Clean Up” – additionally all information about how the agent was packaged is contained in the IMPACT’s Module logs, providing enough information to remove the agent by hand.

Maximizing system stability

Some exploits, due to a factor of the vulnerability they are exploiting, could disrupt the stability of the targeted service. Consequently, while Core Security has a goal of providing only safe exploits, there occasionally is the potential to disrupt system processes when executing some exploits. Before one of these specific exploits is executed, users are cautioned regarding the potential implications of performing that exploit on said vulnerability.
It is a goal of Core’s exploit testing team to determine if an exploit will cause a loss of system stability.  Inadvertently putting a system into a degraded state during an assessment is typically not part of the Scope of Work of most security test and measurement assessments.

Core Security offers customers the peace of mind to know that the product they are using will not cause services to become unavailable, and possibly crash. This is the key that separates Core Security from others in the marketplace. Our commitment is to deliver a commercial-grade solution.

Leaving no backdoors

Another common concern of security testers is ensuring that any agents/payloads that they deploy will establish a path by which attackers could someday find their own way into an organization’s networks or systems. During the penetration test, our product design of mutual authentication once again guarantees that this scenario is not a possibility. And after the test is over, if communication with a file based or persistent agent is lost, it is possible to reconnect to that running agent and issue the “Clean Up” command. Furthermore, Core’s products log all of their activities, meaning that agents can be easily found in the event that a manual clean up is required.

Independent safety validation in the field

Over the years, many of our customers – including large US Federal Agencies – have conducted independent code reviews of our products to confirm their safety and predictability in sensitive IT environments. These reviews have always resulted in the organization deciding to implement the solution.

No new vulnerabilities

Our products never create any new security vulnerabilities during testing, rather, they merely find the weak points that already exist in tested systems and exploit those issues to help customers better protect themselves.

Keeping our products out of the wrong hands

Another area of concern with security testing technologies is that the products cannot find their way into the hands of malicious parties who may use the programs to carry out their own attacks.

We have engineered a number of functions into our products to protect against the very scenario.

Every single copy of our products features a unique identifier that is associated with the organization that licenses the product at the time that they take delivery. As part of our comprehensive software update process, Core has the ability to know if a specific iteration of one of our products is being used by anyone but the explicit licensee, or if it has somehow been copied.

In the case that one of our products has been stolen or copied, we retain the ability to monitor where it is being used improperly, and disable the technology remotely.

Ensuring that our products are only being used by licensed customers with the most legitimate intentions is another central aspect of our design and value proposition.

A reputation based on trust

We stake our reputation on these claims, because the foundation of our business is built on the concept of customers’ trust that our products do everything that they claim to, and nothing they are not supposed to.

We maintain that this is one of the unique value propositions of our products and services when compared to some of the technologies and services with which our products compete..