user_mobilelogo

Always Thinking Ahead

I have worked with Michael during his time at SECNAP. I felt my networks were always safe and managed in the best possible way. Michael was always thinking ahead and could anticipate my requirements due to our global spread. Michael's development and knowledge of the security industry always proved valuable for Gazit when implementing new solutions and expanding to new regions.

Ilan Zachar, CIO, Gazit Group USAGazit Group USA

Motivated and Prepared

I had the pleasure of working with Mike at VenturCom and teamed directly with him on a number of significant accounts. He is a seasoned sales executive and is very customer focused. Mike creates solid business relationships, is able to understand the needs and requirements of prospects, and can communicate them clearly to the rest of the organization.

Read more ...

Web application security assessments determine the application’s risk as defined by its ability to maintain the integrity of data and business processes, uninterrupted availability of service and confidentiality of customer data. Security Privateers examines the application with an established methodology that includes manual techniques developed from significant experience in the field, custom tools to improve efficiency and accuracy of testing and open-source tools.

 A Security Privateers Web Application Assessment provides valuable input when assessing risks.  Applying good IT risk management will provide tangible business benefits, e.g., fewer operational surprises and failures, increased information quality, greater stakeholder confidence, reduced regulatory concerns, and ability to create innovative applications supporting new business initiatives.

Statement of Work and Methodology

At the start of a project we consider the business threats and risks. Scoring is based on how critical the application or data handled by the application is for your business.

Map Regulatory Compliance Requirements

SECURITY PRIVATEERS will map data classification requirements and policies and procedures to applicable regulatory and compliance requirements such as HIPAA/HITECH/GLBA/Sarbanes-Oxley, FISMA, FERPA, PCI or other governmental or industry regulatory compliance as designated by Client.

External Penetration Testing 

This component of the Web App Assessment will consist of remote scans and tests generated from our remote operations center to determine if known vulnerabilities can be detected in Internet-facing hosts.  Click here for more information on Penetration Testing.

Profiling the Application

  • Enumerate the Directory Structure and Files
  • Identify Authentication Mechanism
  • Identify Authorization Mechanism
  • Identify All "Support" Files
  • Identify All Include Files
  • Enumerate All Forms
  • Enumerate All GET Parameters
  • Identify Vectors for Directory Attacks
  • Identify Areas that Provide File Upload Capability
  • Identify Errors
  • Determine Which Pages Require SSL

Tests are performed to identify at a minimum the top 10 Open Web Application Security Project (OWASP) vulnerabilities, including, but not limited to:

  1. SQL Injection
  2. Broken Authentication and Session Management
  3. Cross Site Scripting (XSS)
  4. Insecure Direct Object Referencing
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

Web applicable tests are executed from three perspectives:

Anonymous User: The test is executed from the perspective of an anonymous user with no or minimal knowledge of the target system. Focus points include the user logon authentication process, session management, as well as attempting to uncover other areas on the target application that may provide remote, unauthenticated, or unauthorized access.

Authenticated User: This test is carried out from the perspective of normal user’s knowledge. Therefore a set of valid user login accounts and passwords are required. The focus is on checking authentication and authorization controls and procedures, roles, and limitations such as time restrictions and potential contamination (assuming the access rights of another user, viewing and modifying data of another user).

Administrative/Root user: Root user has full access to administrate, add users, delete users and possibly change authentication methods.   This user is tracked for access, and to prevent any malicious or destructive actions.

Click or call today to get more information. Contact Us / (877) 948-1289