The review is therefore defined as being comprised of three primary elements: 

1. penetration test - our team of security experts simulate a real intruder's attack, from explorative or scan attacks through cutting edge firewall piercing techniques. Having thoroughly tested the service security, our security team will then document everything found, identify ways to tighten security and keep intruders out, and present this in presentation and workshop to the service owners and operators 

2. security audit - an audit measures an organisation's compliance against service security policies and standards, and examines the processes and quality involved in implementation of such. Our audit is firmly practical, based on the principles of BS7799 and focused on measuring practical performance and effectiveness against defined and required standards 

3. vulnerability assessment - most of the major security scares of 2000 were the result of application flaws, or of process inadequacies. Whereas many audits and reviews focus largely on an automated network penetration test - which would not uncover vulnerabilities of the type mentioned above - Ravenswood employs a ‘whole-service' focus. That is to say we use a wide range of hands-on techniques and internal system examination to examine end-to-end service security, utilising the world-class skills in perimeter service development, security and management that we maintain in-house. 

The review process is broken down into a ‘seven-layer' delivery. These ‘layers' are: 

1. service analysis - providing the platform for the development of the end risk analysis. This process covers a short analysis of the service function, audience and medium, plus the definition of the information held within and transmitted by the service, and examination of existing security policies for the service 

2. infrastructure analysis - a detailed security audit of the network and platform infrastructure supporting the service, including host(s), network and perimeter security implementation, plus monitoring and management services. This analysis includes the penetration attacks, including scan attacks such as Syn, Ack and ICMP and firewall piercing techniques. Ravenswood use a range of leading scan tools and techniques alongside our human expertise, including both commercial and freeware packages. Although by default all of our tests are not service affecting, we can also provide destructive attack testing and current Denial of Service attacks where required, allowing real-world testing of service behaviour under such conditions, and putting Intrusion Detection and response systems and processes to the test. 

3. application analysis - a security review of the critical code techniques deployed and the code interface implications (e.g. database access mechanisms, client data delivery mechanisms, external objects utilised, use of persistence vs. instant reap etc.), delivering key information not only on possible code weaknesses, but also on likely susceptibility to Denial of Service attacks and overloading 

4. process analysis - an audit of the security management and response processes that will apply to the service, e.g. how will a malicious attack on the service be recognised and handled? 

5. risk analysis - the analysis and definition of identified security risks in the delivery of this service to the intended audience using the intended medium(s) 

6. recommendations - the development of recommendations for the reduction or removal of the identified risks 

7. documentation - the preparation of documentation covering the above process, findings and recommendations, and interactive presentation of these results to ensure full comprehension of the findings, and to provide direction on implementation of recommendations