Custom Application Penetration Testing
Redspin's Application Security Assessment reviews and evaluates the level of risk associated with an application in terms of its vulnerabilities and the potential disclosure of sensitive information. The primary goals of this assessment are to:
Provide management with an understanding of the level of risk introduced by the application.
Provide recommendations and details to facilitate a cost-effective and targeted mitigation approach.
Create a basis for future decisions regarding information security strategy and resource allocation.
What are some of the questions an Application Security Assessment answers?
- How easy is it to gain unauthorized access to my application?
- Did the development team follow good security practices?
- What if someone's credentials are stolen...how vulnerable is the application?
- If we have many issues, what do we fix first?
- Can I get a second set of eyes on my systems?
This assessment criterion is based on coverage of the classes of vulnerabilities identified in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (CWE/SANS), including the following three areas:
- 1. Insecure Interaction Between Components — These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems. Including tests for Injection, Unrestricted Upload, Operating System (OS) Command Injection, Information Exposure Through an Error Message, Race Conditions.
- 2. Risky Resource Management — The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources. Including tests for Classic Buffer Overflow, Buffer Access with Incorrect Length Value, Improper Check for Unusual or Exceptional Conditions, PHP File Inclusion, Improper Validation of Array Index, Integer Overflow or Wraparound, Incorrect Calculation of Buffer Size, Download of Code Without Integrity Check, Allocation of Resources Without Limits or Throttling.
- 3. Porous Defenses — The weaknesses in this category are related to defensive techniques that are often misused, abused, or simply ignored. Including tests for Improper Access Control (Authorization), Reliance on Untrusted Inputs in a Security Decision, Missing Encryption of Sensitive Data, Use of Hard-coded Credentials, Missing Authentication for Critical Function, Incorrect Permission Assignment for Critical Resource, Use of a Broken or Risky Cryptographic Algorithm.
A comprehensive review of each area is dependent on level of access granted and if source code is provided.
Redspin's application assessments also address specific regulatory requirements, such as FFIEC/GLBA, HIPAA/HITECH, and PCI DSS requirements 11.3.2.
Redspin's Application Security Assessment uses our proven process to ensure consistent quality, risk-based analysis. The testing process for application analysis includes a structured process of steps, each of which are meant to provide the tester with additional knowledge of the application structure and to conclusively identify the existence of a specific vulnerability, thereby eliminating false positives. The process begins with resource and content enumeration, followed by a review of the application configuration and associated communication methods. Testing of user-accepted input sources is then performed, concluding with the testing of login forms and credentials and the examination of session processes used by the application.