Orro Penetration Testing

Our value offering

Organisations have a variety of needs to understand their true security posture. Orro offers a portfolio of services which are aimed at providing either a point-in-time or ongoing determination on the security of an organisation’s information, processes and people. Reports from our work are available in a variety of formats suitable to audiences from the executive to the engineer.

In addition to reporting, Orro works with application, platform and support teams to effectively communicate any issues identified and support risk assessment and remediation activities.

We also provide portal based services to track the treatment of vulnerabilities and issues over time to give organisations a big picture view of how their security has evolved over time.

Penetration Testing

Orro offer a number of security assurance testing services which provide efficient and repeatable services, aligned to an organisation’s risk appetite.

The packages recognise the need for flexibility and are structured to provide the optimum value based on time, effort, complexity, reporting and tools for conducting regular compliance testing.

Service Overview

Routine periodic penetration testing of customer web-based applications.
Aligns to industry standards to support ongoing compliance.
Three levels of service – Bronze, Silver and Gold.

Business Value

Ensure the best balance between security confidence, time and cost to improve the security posture.
Security assurance of production applications using industrialised and well- defined services.
Light-touch stakeholder involvement.
Pre-defined services, fixed duration and cost simplifying engagement and billing.

Service Activities

Maintain a ‘Security Asset Register’ of customer applications and services to perform various health checks against applications periodically with the frequency determined by the risk rating of the asset.
Scheduled health check reports available in Orro Customer Portal.
Orro will periodically review the risk and vulnerability findings with customer stakeholders.

Orro Security Assurance Packages


The Bronze testing package offers basic assurance around lower risk applications against a standard compliance checklist. Example application types included in this category are 3rd party static content and internal non-authenticated sites.


The Silver testing package offers cost effective testing for 2nd tier applications that require standard web application assurance testing. This will typically require an external tool based vulnerability scan, with findings being manually verified where possible, as well as a traditional web application penetration test focusing on OWASP Top 10 / CWE Top 25 compliance.


The Gold testing package caters for high-risk applications requiring more
comprehensive assessment due to the sensitive or critical nature of the information, platform or application. This focuses on applications that are typically required to be tested annually, such as those within PCI or other regulatory scope, and/or pose a high risk to business continuity.

The premium penetration testing package includes:

  • Internal and external vulnerability scans, with manual investigation and verification of reported findings.
  • Automated penetration testing utilising industry leading tools, as well as manual assessment against current vulnerabilities and potential vulnerabilities presented by specific application conditions.

This package also caters for the following optional activities:

  • Host assessment of the critical infrastructure required to offer the service, investigating critical configuration and management processes.
  • A limited number of applications undergoing source code review.

Penetration Testing – Project Based

Orro offers custom penetration testing services to deliver the best value for a project’s specific security requirements in alignment to a customer’s risk appetite and security policy.

The services are structured to provide the optimum value based on project scope, time, effort, complexity, reporting and tools for conducting project based testing.

Testing services can be customised on a project-by-project basis to target the unique requirements of each engagement.

Service Overview

Orro provides security expertise in a variety of business contexts ranging from high level security strategy, risk assessment and architectural reviews down to project-based code review and penetration testing.

The Orro service is aligned to industry standards to support ongoing compliance utilising our real-world experience in web, mobile, middleware and backend enterprise platforms.

Business Value

Early detection of preventable security risks and issues before they cause customer service impacts.
Ability to augment the skillsets of existing customer teams and projects to provide tailored security expertise.
Global team to conduct testing when it best suits customers.

Service Options

Penetration Testing.
Automated Code review.
Host configuration reviews.

Our services

Application Security Assessment

Orro’s application security assessment methodology is founded on industry guidelines such as OWASP and the CWE Top 25. Applications are reviewed from a variety of perspectives; both authenticated and unauthenticated to ensure that the impacts of security threats, whether internal or external, are properly understood.

Our application security assessment service integrates seamlessly into our client’s SDLC. We work with developers and platform teams to communicate and educate on issues which we identify. Our service is scalable, leveraging a combination of automated and manual assessment of applications as well as the environments in which they operate.

Application Code Security Review

Orro maintains strong security focused application development expertise which supports our internal and external services. We offer a comprehensive application code security review service which is both flexible (covering numerous platforms and frameworks), and informative. This supports application development teams in the understanding and remediation of security issues within the SDLC.

The application code security review is delivered via an automated or interactive service, based on time and cost constraints within application development programs.

Host Configuration Review

A host configuration review is specific to a device configuration and generally independent of the application and network assessments. The host configuration review covers components such as:

Operating systems updates and patches.
Default configuration.
File system permission.
Misconfiguration of, and any known vulnerabilities with, installed services.
Security controls used in the provision of services on the fileserver.
Configurations of supporting applications.
No extraneous services are running.
Comparison against provided baseline configuration.


The Orro Customer Portal provides a reporting capability with an industry-strength data analytics and insights engine. A standard report includes a high level summary of findings, detailed descriptions of findings, associated risk ratings and recommendations. These reports are written by Orro staff and are tailored to be relevant to a customer’s specific environment. Underlying tool-specific reports containing the generic security data are also available upon request.

Developer Security Training

Identifying application security defects alone is only one of the steps involved in improving application resilience and security, for this reason Orro provide optional follow up education and training sessions as well as code walkthroughs to help establish a culture of security inside development teams.

Why Orro?

We are:

a Gartner recognised managed security service provider.
ISO27001 Certified and the scope of our certification includes all processes and procedures.
a true 24x7x365 Cyber Security Services Provider.
Australian based with follow the sun services.
flexible, creative and robust without the overheads of international suppliers.
experienced, security cleared and qualified.
focused on Security; our Clients are part of a trusted community that shapes everything we do.

We deliver:

our services from our Cyber SOCs located in Sydney, Melbourne and London.
deep & broad security expertise across a range of industries.
incremental and modular service delivery to flex up and flex down as Client needs evolve.
One Team working collaboratively with our Clients who have access to all our capabilities.

Gartner Extract:

Asia/Pacific Context: ‘Magic Quadrant for Managed Security Services, Worldwide’ Published: 27 April 2018 ID: G00345198
Analyst(s): Sid Deshpande, Craig Lawson, Rajpreet Kaur

Founded in 1999, [Orro] is a pure-play security company that provides managed security, consulting and assurance services. Its client base is predominantly in Australia today, and it specializes in general-purpose MSS, along with offering consulting services that support customers’ security operations requirements. [Orro] offers management capability for a wide range of network security and threat management functions. It also supports more granular service deliverables than many larger providers by being able to provide out-tasking and overflow support on top of the more standardized MSS SLA-based management and monitoring of security products. [Orro] is able to compete with larger competitors because of its flexible service delivery options and its ability to customize service delivery for a wide range of customer requirements. [Orro] operates out of four locations (Australia [Brisbane, Melbourne and Sydney] and London, the U.K.), with two SOCs in Sydney and Melbourne.