user_mobilelogo

Diversity of Experience

Passionate, hard-working and exciting; that's how I'd describe Michael in the work place. He has a unique way of viewing products, creating and inventing unique solutions in security...products that no one else could imagine and then take to market. In addition, his diversity of experience brings something extremely valuable to the table which cannot be ignored. Michael is a true professional. I enjoyed working with him.

Mike Floyd, Director Business Development at ASCEND Software Solutions Pvt Ltd

Thought Leader

Michael is a thought leader in the industry. He provides a superior product and service at a cost that cannot be replicated by tradition means. He is knowledgeable, ambitious, and always willing to help.

Brian Pecjo, Director, Information Technology at Harvard Clinical Research InstituteHarvard Clinical Research Institute

Web application security assessments determine the application’s risk as defined by its ability to maintain the integrity of data and business processes, uninterrupted availability of service and confidentiality of customer data. Security Privateers examines the application with an established methodology that includes manual techniques developed from significant experience in the field, custom tools to improve efficiency and accuracy of testing and open-source tools.

 A Security Privateers Web Application Assessment provides valuable input when assessing risks.  Applying good IT risk management will provide tangible business benefits, e.g., fewer operational surprises and failures, increased information quality, greater stakeholder confidence, reduced regulatory concerns, and ability to create innovative applications supporting new business initiatives.

Statement of Work and Methodology

At the start of a project we consider the business threats and risks. Scoring is based on how critical the application or data handled by the application is for your business.

Map Regulatory Compliance Requirements

SECURITY PRIVATEERS will map data classification requirements and policies and procedures to applicable regulatory and compliance requirements such as HIPAA/HITECH/GLBA/Sarbanes-Oxley, FISMA, FERPA, PCI or other governmental or industry regulatory compliance as designated by Client.

External Penetration Testing 

This component of the Web App Assessment will consist of remote scans and tests generated from our remote operations center to determine if known vulnerabilities can be detected in Internet-facing hosts.  Click here for more information on Penetration Testing.

Profiling the Application

  • Enumerate the Directory Structure and Files
  • Identify Authentication Mechanism
  • Identify Authorization Mechanism
  • Identify All "Support" Files
  • Identify All Include Files
  • Enumerate All Forms
  • Enumerate All GET Parameters
  • Identify Vectors for Directory Attacks
  • Identify Areas that Provide File Upload Capability
  • Identify Errors
  • Determine Which Pages Require SSL

Tests are performed to identify at a minimum the top 10 Open Web Application Security Project (OWASP) vulnerabilities, including, but not limited to:

  1. SQL Injection
  2. Broken Authentication and Session Management
  3. Cross Site Scripting (XSS)
  4. Insecure Direct Object Referencing
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

Web applicable tests are executed from three perspectives:

Anonymous User: The test is executed from the perspective of an anonymous user with no or minimal knowledge of the target system. Focus points include the user logon authentication process, session management, as well as attempting to uncover other areas on the target application that may provide remote, unauthenticated, or unauthorized access.

Authenticated User: This test is carried out from the perspective of normal user’s knowledge. Therefore a set of valid user login accounts and passwords are required. The focus is on checking authentication and authorization controls and procedures, roles, and limitations such as time restrictions and potential contamination (assuming the access rights of another user, viewing and modifying data of another user).

Administrative/Root user: Root user has full access to administrate, add users, delete users and possibly change authentication methods.   This user is tracked for access, and to prevent any malicious or destructive actions.

Click or call today to get more information. Contact Us / (877) 948-1289