EN ID TH
Other Compliance → COTS Platforms

COTS Enterprise Platforms

Security review of commercial off-the-shelf enterprise platforms, Salesforce, SAP, Microsoft Dynamics, including configuration, customisation, and integration risk.

Enterprise COTS platforms, Salesforce, SAP, Microsoft Dynamics, concentrate vast amounts of organisational data and process. Their security depends almost entirely on how they are configured, what custom code has been layered on top, and how they integrate with the rest of the environment. Penetration testing against the vendor product itself is rarely the right question; testing your specific configuration is.

Our COTS engagements review platform-specific security primitives, Salesforce sharing rules and profiles, SAP authorisation objects and S_RFC, Dynamics security roles and field-level security, alongside the custom Apex / ABAP / plugin code that often quietly bypasses them. Findings map to vendor security baselines, ISO 27001:2022 access-control requirements, and any regulator requirements for the data the platform holds.

Mengapa Hal Ini Penting

Risiko yang dihadapi organisasi Anda.

COTS platforms concentrate data

A misconfigured Salesforce org, SAP system, or Dynamics tenant can expose more data than most application-layer breaches, and the controls that protect them are usually invisible to traditional penetration testing.

Custom code routinely bypasses platform controls

Apex without "with sharing", ABAP without authorisation checks, plugins running with elevated security, every COTS platform has its own version of "the customisation that defeated the security model".

Model Engagement

Jalur kerja terstruktur dan berbasis intelijen pada setiap engagement.

Setiap engagement mengikuti alur disiplin yang sama melalui platform Velocity, sehingga kualitas, ketertelusuran, dan pelaporan konsisten di seluruh tim.

Penetapan Ruang Lingkup

Tetapkan aset, lingkungan, Rules of Engagement, dan kriteria penerimaan bersama para pemangku kepentingan teknis dan keamanan.

Pelaksanaan

Pengujian manual dan berbantuan tools oleh konsultan tersertifikasi CREST, dengan bukti yang ditangkap pada setiap langkah.

Validasi

Setiap temuan direproduksi, dinilai risikonya menggunakan CVSS, dan dikonfirmasi oleh konsultan kedua sebelum dilaporkan.

Pelaporan

Laporan yang ditandatangani secara kriptografis, dengan ketertelusuran ke setiap Test Case, peringkat tingkat keparahan, langkah reproduksi, dan rekomendasi remediasi.

Debrief & Retest

Pemaparan temuan kepada pemangku kepentingan, dukungan prioritisasi, dan siklus retest atas temuan yang telah diremediasi.

Standar & Kerangka Kerja

Dipetakan ke baseline yang diakui industri.

Salesforce Security Baseline
SAP Cyber Security guidance
Microsoft Dynamics security best practices
ISO 27001:2022
PCI DSS (where applicable)

Uji Pertahanan Anda dengan Pendekatan Adversarial Ofensif

Konsultasikan kebutuhan Pengujian Penetrasi berikutnya dengan konsultan tersertifikasi CREST kami.

Konsultasi dengan Pakar