Application Security

Sense of Security has extensive experience with assessing application security - both web (browser based), non-web (client/server, compiled binaries, command line, etc), including front-end and back-end systems. History has proven that software defects, bugs and logic flaws are consistently the primary cause of commonly exploited application software vulnerabilities. These can lead to unauthorised access of your networks, systems, and applications information.

Web Application Security and Web Services Security

According to research by Gartner, an estimated 70% of all security breaches are due to vulnerabilities within the web application layer (attacks exclusively using the HTTP/HTTPS protocol). Traditional security mechanisms such as firewalls and IDS provide little or no protection against attacks on your web applications.

Our Methodology and Approach

A web application security review identifies vulnerabilities inherent in the code of a web application itself, regardless of the technology in which it is implemented, or the security of the web server or back end database on which it is built. Specifically, it analyses the critical components of a web-based portal, e-commerce application, or web services platform. A web application audit can be performed separately, or in conjunction with a penetration test, as both assessments are complementary and model threats from different perspectives.

Using our detailed methodology, and a combination of manual techniques and proprietary and commercial tools, this type of assessment pinpoints specific vulnerabilities and identifies underlying problems in the web application.

As part of a web application security assessment, our team will analyse the following key areas within your applications:

Architecture

Business Logic, Functional Specification & Implementation

Authentication

Access Control & Authorisation

Cryptography

Session Management

Data Validation

Error Condition Handling & Exception Management

Data Confidentiality

Management Interface

Privacy Concerns

Our approach to web application testing and web services security is consistent with the practices documented in the Open Web Application Security Project (OWASP) guides, and is complemented with the extensive experience our consultants have gained by performing hundreds of prior engagements.

Typical Findings

Our testing commonly reveals web application vulnerabilities including, but not limited to:

Hidden manipulation

Parameter tampering

Cookie poisoning

Cross Site Scripting (XSS)

Stealth commanding

Forceful browsing

Directory traversals

Session hi-jacking

Denial of service

Information disclosure

Backdoors and debug options

Configuration subversion

Buffer overflow

Vendor option exploitation

Access to administration areas and internal modules

SQL injection

Improper management of permissions

XML/SOAP vulnerabilities

HTTP Attacks.

 

Our Services

We can assist with the development of application security frameworks, application development training, the implementation of secure Software Development Lifecycles (SDLC), through to source code reviews and application penetration testing.

Sense of Security is also experienced with performing web application penetration testing which addresses the annual PCI DSS Compliance test requirements.