As enterprise networks are replaced by logical layers in the cloud, managing application security risk has become a mission critical business objective. The attack surface and volume introduced by web and mobile applications is already staggering, and the movement towards cloud services, the internet of things (IoT), and software defined networking (SDN) will only increase the risks. Redspin’s proven process works regardless of whether you have a web application or a mobile application, or you’ve integrated multiple cloud providers and/or service layers.
Application security testing by professional security engineers, not software.
All application penetration testing and security assessments are performed by Redspin’s world-class engineering team. We leverage over a decade of experience and proprietary research amassed from thousands of assessments. We use real human intelligence and manual analysis to find the best strategies to secure your application, lower your security risk, and minimize business and service disruptions.
Common Goals for a Application Security Assessment
- Understand the security risks with in the application (or development life cycle)
- Understand the impact of each vulnerability, flaw, or weakness
- Prioritize risks and mitigation strategy to lower risk immediately and efficiently
- Set the foundation for application and development security strategy
TALK TO A REDSPIN
Scope and Methodology
Redspin’s web/mobile application security test usually proceeds in 3-4 stages:
- Host and service enumeration.
- Resource and content enumeration.
- Application configuration and network communication discovery.
- Manual testing of logins, credentials, sessions/cookies, and application behavior.
Redspin’s proven application security testing methodology prioritizes vulnerabilities according to risk and impact, and then delivers clear and concise recommendations to mitigate application flaws as quickly as possible. When serious or critical vulnerabilities are discovered, we notify you immediately with actionable recommendations.
Redspin uses findings, research, and tools from 1000’s of security assessments, as well as a standards based approach from Open Web Application Security Project Top 10 (OWASP Top 10) and the 2010 CWE / SANS Top 25 Most Dangerous Programming Errors (CWE/SANS):
OWASP Top 10 (Open Web Application Security Project)
Can we send malicious code/scripts to the system?
A2 Broken Authentication and Session Management
Secure authentication is hard. Can we exploit parts of the app, like: Logout, password management, timeouts, remember me, secret questions, account update, etc.
A3 Cross-Site Scripting (XSS)
Can we untrusted data to exploit the interpreter in the browser? The most wide spread web application security flaw.
A4 Insecure Direct Object Reference
Can we change parameters to gain access to unauthorized objects?
A5 Security Misconfiguration
Can we access default accounts, unused pages, unpatched flaws, unprotected files or directories, etc. to gain unauthorized access to or knowledge of the system.
A6 Sensitive Data Exposure
Can we get unencrypted or weakly encrypted sensitive data by a man in the middle attack, exploiting the browser, stealing keys, interception clear text in transit, etc.
A7 Missing Function Level Access Control
Is access granted when a user changes parameters to access privileged functions?
A8 Cross-Site Request Forgery (CSRF)
Can we forge an HTTP request and trick users into submitting them?
A9 Using Components with Known Vulnerabilities
Can we use scanning or manual analysis to find a weak or bad components?
A10 Invalid Redirects and Forwards
Can we use the system to redirect or forward the user to a phishing site or malicious URL?
CWE/SANS Top 25 Most Dangerous Programming Errors
Each of the 25 problems fall into 3 primary categories:
Insecure Interaction Between Components: These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems. Including tests for Injection, Unrestricted Upload, Operating System (OS) Command Injection, Information Exposure Through an Error Message, and Race Conditions.
Risky Resource Management: The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources. Including tests for Classic Buffer Overflow, Buffer Access with Incorrect Length Value, Improper Check for Unusual or Exceptional Conditions, PHP File Inclusion, Improper Validation of Array Index, Integer Overflow or Wraparound, Incorrect Calculation of Buffer Size, Download of Code Without Integrity Check, and Allocation of Resources Without Limits or Throttling.
Porous Defenses: The weaknesses in this category are related to defensive techniques that are often misused, abused or simply ignored. Including tests for Improper Access Control (Authorization), Reliance on Untrusted Inputs in a Security Decision, Missing Encryption of Sensitive Data, Use of Hard-coded Credentials, Missing Authentication for Critical Function, Incorrect Permission Assignment for Critical Resource, and Use of a Broken or Risky Cryptographic Algorithm.
SANS Top 25 List
- Failure to preserve web page structure (Cross-site scripting)
- Improper sanitization of special elements used in a SQL command (SQL injection)
- Buffer copy without checking the size of input (Classic buffer overflow)
- Cross-site request forgery
- Improper access control (Authorization)
- Reliance on untrusted inputs in a security decision
- Improper limitation of a pathname to a restricted directory (Path traversal)
- Unrestricted upload of a file with dangerous type
- Improper sanitization of special elements used in an OS command (OS command injection)
- Missing encryption of sensitive data
- Use of hard-coded credentials
- Buffer access with incorrect length value
- Improper control of filename for include/require statement in PHP program (PHP file inclusion)
- Improper validation of array index
- Improper check for unusual or exceptional conditions
- Information exposure through an error message
- Integer overflow or wraparound
- Incorrect calculation of buffer size
- Missing authentication for critical function
- Download of code without integrity check
- Incorrect permission assignment for critical resource
- Allocation of resources without limits or throttling
- URL redirection to untrusted site (Open redirect)
- Use of a broken or risky cryptographic algorithm
- Race condition
Penetration Testing Services
Redspin’s end-to-end security assessment services.