Web application security assessments determine the application’s risk as defined by its ability to maintain the integrity of data and business processes, uninterrupted availability of service and confidentiality of customer data. Security Privateers examines the application with an established methodology that includes manual techniques developed from significant experience in the field, custom tools to improve efficiency and accuracy of testing and open-source tools.
A Security Privateers Web Application Assessment provides valuable input when assessing risks. Applying good IT risk management will provide tangible business benefits, e.g., fewer operational surprises and failures, increased information quality, greater stakeholder confidence, reduced regulatory concerns, and ability to create innovative applications supporting new business initiatives.
Statement of Work and Methodology
At the start of a project we consider the business threats and risks. Scoring is based on how critical the application or data handled by the application is for your business.
Map Regulatory Compliance Requirements
SECURITY PRIVATEERS will map data classification requirements and policies and procedures to applicable regulatory and compliance requirements such as HIPAA/HITECH/GLBA/Sarbanes-Oxley, FISMA, FERPA, PCI or other governmental or industry regulatory compliance as designated by Client.
External Penetration Testing
This component of the Web App Assessment will consist of remote scans and tests generated from our remote operations center to determine if known vulnerabilities can be detected in Internet-facing hosts. Click here for more information on Penetration Testing.
Profiling the Application
- Enumerate the Directory Structure and Files
- Identify Authentication Mechanism
- Identify Authorization Mechanism
- Identify All "Support" Files
- Identify All Include Files
- Enumerate All Forms
- Enumerate All GET Parameters
- Identify Vectors for Directory Attacks
- Identify Areas that Provide File Upload Capability
- Identify Errors
- Determine Which Pages Require SSL
Tests are performed to identify at a minimum the top 10 Open Web Application Security Project (OWASP) vulnerabilities, including, but not limited to:
- SQL Injection
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Insecure Direct Object Referencing
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
Web applicable tests are executed from three perspectives:
Anonymous User: The test is executed from the perspective of an anonymous user with no or minimal knowledge of the target system. Focus points include the user logon authentication process, session management, as well as attempting to uncover other areas on the target application that may provide remote, unauthenticated, or unauthorized access.
Authenticated User: This test is carried out from the perspective of normal user’s knowledge. Therefore a set of valid user login accounts and passwords are required. The focus is on checking authentication and authorization controls and procedures, roles, and limitations such as time restrictions and potential contamination (assuming the access rights of another user, viewing and modifying data of another user).
Administrative/Root user: Root user has full access to administrate, add users, delete users and possibly change authentication methods. This user is tracked for access, and to prevent any malicious or destructive actions.
Click or call today to get more information. Contact Us / (877) 948-1289