Application Security

The new gateway for intruders is through the Application Layer.  Improperly configured or improperly controlled applications can open the doors for hackers to access confidential information.  With more and more internet applications being implemented to allow for on-line banking, bill pay, account information or policy information tying into databases containing personal information or corporate secrets, the hacking community has found attacking an application to be less complex and reap bigger rewards.  For instance, if a hacker were to compromise a database through a companies on-line store, they may be able to gain personal information, like billing addresses, credit card information or any number of personal information fields that allow for identity theft, credit card fraud or information brokering.

Organizations that use ASP’s (Application Service Providers) and don’t host their own applications should be aware if the hosted application was tested.  Once an organization decides to trust an ASP with its data, the diligent practice would be to have require the ASP to have the application tested and supply a copy of the report to the organization.  This process allows an organization to understand and minimize risk.

Application Security Testing lets you know, ideally, before an application goes live, if it is vulnerable to compromise by an attacker from the outside or from within.  Is the application vulnerable to hacking, SQL Injection or Cross Site Scripting?  Before you trust confidential customer data to an ASP be assured that the application was properly tested for vulnerabilities.  GDF can test an application for vulnerabilities, help secure it and make sure that your organizations data is secure.

Many clients opt to have GDF test any application that is hosted by an ASP and may contain sensitive data.  As in any situation, prevention is far less costly than response.

What Is Tested

 

  • Server Configurations
  • Session Management Security
  • Cookie Poising
  • Cross Site Scripting
  • CGI Manipulation
  • Buffer Overruns/Overflows
  • Weak Passwords
  • ACL Integrity
  • Command Injection
  • Forceful Browsing
  • Cryptography Configuration
  • Hidden and Form Field Manipulation
  • And More..

 

The Process

  • Phase 1. – Analysis and Review
  • Understand the use of the application and the types of Data Client may entrust to them.
  • Review of vendors security policies and certification or audit documents available have i.e. SAS70

 

  • Phase 2 – Basic vulnerability test
  • Physical inspection of the data center and equipment.
    • If a certification, such as SAS70 is not available, GDF will visit the physical location of the Data Center and review policy and procedure, verify the existence of security devices and interview key security personnel in order to formulate a basic rating of the physical security and the ability of the vendor to maintain reasonable security levels.
    • Network Vulnerability Analysis
      • While not a full scale penetration test, the Basic Network Vulnerability Analysis will allow GDF to determine if common exploits or security holes exists that could expose Client Data.  Verification of security device configuration, authentication and encryption methodologies and overall security and exposure from the outside will be tested.
      • A rating of the basic security will be generated.

 

  • Application Security Analysis
  • A review of the application source code and the security implementation for the application will be reviewed and rated.
  • The methodologies and implementation of any database connections and the code used to work Client Data will be reviewed and tested for possible exploits or security flaws.
  • Overall test of the security of the application by attempting to compromise the application and its related systems will be conducted.
  • An overall rating or the applications security will be generated.

 

  • Authentication Methodology Review
  • A review of the technologies used to authenticate users and protect data in transit will be reviewed.
  • A review of the policies governing authentication will be reviewed from both the vendors aspect and Clients internal policies to ensure best practices are being followed.
  • A compromise of those technologies will be attempted.

 

  • Ratings and Recommendations
  • GDF will provide to Client an overview of the overall security model and its implementation.
  • Detailed Suggestions on improving the overall security model.
  • Suggestions to improve and maintain the Authentication model of the application.
  • A follow up to ensure that suggestions were implemented correctly and are following best practices.

Call us now, toll free at 1(800) 868-8189 and we would be happy answer all of your questions and tell you exactly the solutions we can provide for your business.

 

 

New York ° Miami ° Los Angeles ° Chicago ° Tampa ° Washington D.C. ° New England

Las Vegas ° Atlanta ° San Fransisco ° Philadelphia ° Denver ° Boston

 

Phone Toll Free:   1-800-868-8189

From Outside the U.S:  +1 727-287-6000

Fax:  727-287-6011