Application Security Assessments

Redspin offers in-depth security assessments for web applications, mobile applications, and internal/custom applications.

Both our web application and mobile application penetration testing services utilize industry-standard software tools to profile the application by identifying accessible services, ports, and systems. Our expert engineers then manually analyze the application for business logic flaws and simulate real-world attacks to identify inherent vulnerabilities and potential threats.

The goal of the application security assessment is to:

  • Identify weaknesses in default configurations
  • Bypass authentication and authorization controls
  • Escalate privileges
  • Access and modify data or data presentation
  • Identify security weaknesses leading to inappropriate access, unintended application use, and loss of data integrity.

Redspin's web application security assessment methodology follows the OWASP Top Ten classes of vulnerabilities including data validation (SQL injection, cross-site scripting, buffer overflows, etc.), session management, access controls (authentication and authorization controls), use of cryptography, and use of third-party components (patching, configuration errors, etc).

Redspin's mobile application security assessment methodology follows v1.0 of the OWASP Top 10 Mobile Risks and includes: insecure data storage, weak server side controls, client side injection, poor authentication and authentication, improper session handling, security decisions via untrusted ports, side channel data leakage, broken cryptography, and sensitive information disclosure.

Services Offered

Basic – Fixed price. Designed for organizations that want an initial assessment of whether or not their applications are secure. The basic assessment includes an application scan and 3 days of manual testing and reporting.

The questions that the Basic Application Security Assessment seeks to answer are:

  • Can an attacker break into my application?
  • Are there known security misconfigurations in my application?
  • Does the application handle basic security well? (This includes session management, authentication, and administration)...
  • Should I be worried about a prior or imminent attack?

Advanced — The scope of work and pricing varies based on the size and complexity of the application. Before a proposal and quote is sent, we schedule a demonstration or "walk-thru" of the application with a Redspin security engineer. The testing is more comprehensive and in-depth than a basic assessment and is meant for applications that process and store confidential or proprietary information and applications that are mission or business critical.

The questions that the Advanced Application Security Assessment seeks to answer include:

  • What would a state-sponsored or high-trained attacker be able to achieve if they focused on my application?
  • What overarching flaws appear to be present in my software development lifecycle?
  • What business logic flaws may be present in my application?

Enterprise Application Security Assessment: Annual Pricing. This is the gold standard of application security assessments. Redspin's Enterprise Application Assessments include two Advanced-scope tests scheduled approximately six months apart. Each month, a new validation is provided to the client, indicating which findings have been remediated and which have not.

The questions that the Enterprise Application Security Assessment seeks to answer include:

  • How does my application security change over time?
  • How can my organization get the most "bang" for its buck in application assessments?
  • How quickly can my developers respond to vulnerabilities?

Our security engineers understand that every application is unique with specialized requirements. Business necessities such as time-to-market, multi-location development (including offshore) and limited resources often greatly impact the extent to which security testing is "built-in" to the software development process. In other environments, engineering teams apply security best practices according to rigorous adherence to the software development lifecycle (SDLC) methodology.

Redspin's application security assessments provide you with the assurance that your critical application can withstand common Internet and internal threats. We tailor our efforts to identify the most critical vulnerabilities within a short time period with minimal impact to production systems. If we find serious vulnerabilities where immediate remediation is necessary, we will notify you on the spot so that you can take the appropriate action.

Learn More

"The Redspin web application assessment experience has not only helped us reduce vulnerabilities, but we have improved our process..."
- Redspin Customer
Twitter Facebook Facebook