Cybersecurity

Pentest aplikasi & infrastruktur, vulnerability assessment, hardening, secure SDLC (SAST/DAST), incident response tabletop, serta persiapan compliance (ISO 27001 readiness).

Cakupan Layanan

  • Pentest Aplikasi Web/API (black/grey/white-box)
  • Vulnerability Assessment & Remediation Plan
  • Hardening OS (Linux/Windows) & Database
  • AppSec untuk stack Java & PHP (authz/authn, input validation, session, file upload)
  • AppSec untuk Go, Node.js, dan Vue (CSP, sanitasi input, SSRF/XXE, dependency hygiene)
  • Secure SDLC: SAST/DAST, dependency scanning
  • Cloud Security Review (IAM, network, secrets)
  • Incident Response Tabletop & Playbooks
  • Compliance Readiness (ISO 27001/PCI-DSS dasar)

Tooling yang Didukung

OWASP ZAPBurp SuiteNmapOpenVASTrivykube-benchLynisFalcoSonarQubeFindSecBugs (Java)OWASP Dependency-CheckComposer Audit (PHP)PHPStan/PsalmSpring Security ReviewLaravel Security Reviewgosec (Go)govulncheck (Go)Semgrep (multi-stack)npm audit (Node)Retire.jseslint-plugin-securityeslint-plugin-vueHelmet (Node/Express)

Proses Onboarding

  1. Scoping: identifikasi aset, threat model, dan prioritas.
  2. Assessment: pentest/VA, bukti temuan, dan risiko.
  3. Hardening: patching, konfigurasi aman, dan validasi.
  4. Transfer: laporan final, rekomendasi, SOP/Playbook.

SLA Ringkas

  • Basic: Report ≤ 10 hari kerja, konsultasi 2 jam.
  • Standard: Report ≤ 7 hari kerja, fix verify 1 siklus, on-call 08:00–22:00.
  • Enterprise: Report ≤ 5 hari kerja, fix verify 2 siklus, on-call 24/7 (insiden high).

Paket & SLA

Detail SLA tersedia di halaman Layanan. Paket dapat dikustom sesuai kebutuhan.

Lihat Paket & SLA

FAQ

Berapa akses yang dibutuhkan untuk pentest?

Tergantung skenario (black/grey/white-box). Minimal endpoint target, scope IP/domain, dan akun uji (jika perlu auth).

Berapa lama estimasi engagement?

Umumnya 1–2 minggu untuk scope kecil-menengah (termasuk report). Enterprise/multi-sistem memerlukan perencanaan khusus.

Apakah termasuk perbaikan (remediation)?

Kami memberikan rekomendasi remediation dan verifikasi perbaikan (fix verify) sesuai paket SLA.

Metodologi apa yang digunakan?

Kami mengacu pada OWASP Testing Guide/ASVS untuk aplikasi, dan standar industri (NIST/CIS) untuk infrastruktur. Pengujian meliputi recon, enumeration, exploitation, dan post-exploitation (jika diizinkan).

Apakah pengujian mengganggu produksi?

Default kami adalah non-disruptive testing. Attack berisiko tinggi akan dikoordinasikan dan disimulasikan di waktu yang disetujui. Disarankan adanya environment staging bila memungkinkan.

Bisakah hasil dipetakan ke compliance (ISO 27001, PCI)?

Ya, ringkasan temuan dapat dipetakan ke kontrol/annex yang relevan untuk membantu readiness audit.

Bagaimana kebijakan retest setelah perbaikan?

Tersedia 1–2 siklus fix verification bergantung paket. Retest tambahan dapat ditambahkan sesuai kebutuhan.

Bagaimana penanganan data sensitif & NDA?

Kami menandatangani NDA, menerapkan least-privilege, menyimpan data terenkripsi, dan menghapus data uji setelah engagement sesuai kebijakan retention.

Bagaimana model harga?

Per scope (fixed) untuk engagement terdefinisi, atau retainer bulanan untuk kebutuhan berkelanjutan (mis. VA berkala, hardening, IR standby).

Deliverables

Dokumen

  • Report temuan (executive summary + technical detail)
  • Risk rating & remediation plan
  • Checklist hardening & best practices
  • Playbook IR (opsional)

Sesi & Verifikasi

  • Walkthrough hasil & tanya jawab
  • Fix verification (sesuai paket)
  • Knowledge transfer & rekomendasi prioritas
Minta contoh report
Unduh Checklist Pentest Unduh Sample Report (redacted) Chat WhatsApp

Hasil & Metrics

20+
Critical findings ditutup
35%
Penurunan MTTR insiden
99.9%
Target uptime pasca hardening

Keahlian & Standar

OWASP ASVSOWASP Top 10NIST CSFCIS BenchmarksISO/IEC 27001 (readiness)

Contoh Pipeline SAST/DAST

Berikut contoh pipeline GitHub Actions untuk memulai automasi SAST/DAST pada berbagai stack. Silakan sesuaikan sesuai repositori Anda.

JS/TS (SAST + Dep Scan)

name: security-js
on: [push, pull_request]
jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npm ci
      - name: ESLint + tsconfig checks (opsional)
        run: npm run lint --if-present
      - name: Dependency Audit
        run: npm audit --production --audit-level=moderate || true
  dast:
    runs-on: ubuntu-latest
    steps:
      - name: OWASP ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.10.0
        with:
          target: https://staging.example.com
          cmd_options: -a

Java (FindSecBugs + Dependency-Check)

name: security-java
on: [push, pull_request]
jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 17
      - name: Build + SpotBugs
        run: mvn -B -DskipTests=false clean verify
      - name: Dependency-Check
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: my-java-app
          path: .
          format: HTML
      - name: Upload DC report
        uses: actions/upload-artifact@v4
        with:
          name: dep-check-report
          path: ./dependency-check-report.html

PHP (Composer Audit + PHPStan)

name: security-php
on: [push, pull_request]
jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.2'
          coverage: none
          tools: phpstan, composer
      - run: composer install --no-interaction --prefer-dist
      - name: Composer Audit
        run: composer audit || true
      - name: PHPStan (level max opsional)
        run: phpstan analyse --memory-limit=1G

Snippet Hardening Linux/NGINX

Cuplikan konfigurasi berikut adalah contoh baseline. Sesuaikan dengan kebijakan dan versi OS/Web Server Anda.

Linux sysctl (network)

# /etc/sysctl.d/99-security.conf
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
kernel.kptr_restrict = 2
kernel.randomize_va_space = 2
# apply: sysctl --system

OpenSSH (sshd_config)

# /etc/ssh/sshd_config.d/99-hardening.conf
Protocol 2
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
ClientAliveInterval 300
ClientAliveCountMax 2
AllowTcpForwarding no
X11Forwarding no
MaxAuthTries 3
# restart: systemctl restart sshd

UFW (Firewall)

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp comment "SSH"
ufw allow 80,443/tcp comment "HTTP(S)"
ufw enable

NGINX Security Headers

# /etc/nginx/conf.d/security-headers.conf
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
# include in server {} block: include conf.d/security-headers.conf;

NGINX TLS (modern)

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
# HSTS (aktifkan hanya jika domain full HTTPS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Snippet Hardening Database (PostgreSQL/MySQL)

PostgreSQL

# postgresql.conf
listen_addresses = 'localhost'            # gunakan private IP/VPC bila perlu
password_encryption = scram-sha-256
ssl = on
log_connections = on
log_disconnections = on
log_statement = 'ddl'
log_min_duration_statement = 500
shared_preload_libraries = 'auto_explain'

# pg_hba.conf (gunakan CIDR yang ketat)
hostssl all all 10.0.0.0/24 scram-sha-256
host    all all 127.0.0.1/32    scram-sha-256
host    all all ::1/128         scram-sha-256

MySQL/MariaDB

# /etc/mysql/conf.d/99-hardening.cnf
[mysqld]
bind-address = 127.0.0.1
require_secure_transport = ON
default_authentication_plugin = caching_sha2_password
local_infile = OFF
secure_file_priv = /var/lib/mysql-files
log_error_verbosity = 2
slow_query_log = 1
long_query_time = 0.5
-- contoh grant minimal
CREATE USER 'app'@'10.%' IDENTIFIED BY 'strong-password';
GRANT SELECT, INSERT, UPDATE, DELETE ON appdb.* TO 'app'@'10.%';
FLUSH PRIVILEGES;

Node Security Headers (Helmet)

Express + Helmet + CSP

import express from 'express'
import helmet from 'helmet'

const app = express()
app.use(helmet({
  xssFilter: true,
  noSniff: true,
  frameguard: { action: 'sameorigin' },
  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
  permissionsPolicy: { features: { geolocation: ["'none'"], camera: ["'none'"], microphone: ["'none'"] } }
}))

// Content-Security-Policy (sesuaikan sumber)
app.use(helmet.contentSecurityPolicy({
  useDefaults: true,
  directives: {
    defaultSrc: ["'self'"],
    imgSrc: ["'self'", 'data:', 'https:'],
    scriptSrc: ["'self'", 'https:'],
    styleSrc: ["'self'", "'unsafe-inline'", 'https:'],
    objectSrc: ["'none'"],
    baseUri: ["'self'"],
    frameAncestors: ["'self'"]
  }
}))

app.listen(3000)

Cloudflare WAF

Cloudflare WAF Rules

{
  "rules": [
    {
      "id": "block-bad-user-agents",
      "priority": "1",
      "description": "Block bad user agents",
      "filter": "(http.user_agent contains \"bad-bot\")",
      "action": "block"
    },
    {
      "id": "block-suspicious-traffic",
      "priority": "2",
      "description": "Block suspicious traffic",
      "filter": "(http.request.uri.path contains \"/wp-admin/\") and (not http.request.uri.query contains \"_validate\")",
      "action": "block"
    }
  ]
}
“Tim Natif mengidentifikasi temuan kritikal dan membantu tim kami melakukan remediation dengan cepat. Observability dan hardening yang diterapkan membuat sistem kami jauh lebih siap audit.”
PLN Icon Plus
Head of IT Security
Perusahaan Energi

Dipercaya oleh

PLN Energi PrimerPLN Icon PlusInspektorat JakartaTelkomsat

Request Pentest

Isi formulir berikut, tim kami akan menghubungi dalam 1x24 jam kerja.

0/1500

Butuh cepat? Chat WhatsApp
Chat with us