A secure web application forms the basis of any business trading on the Internet. Without security in mind, applications are a treat for online fraudsters to target genuine unsuspecting users.
The main goal of application assessment is to uncover vulnerabilities, to show a practical situation where these flaws can be exploited, and provide recommendation for mitigation of the risks identified. Majority of the times, application assessments are driven by either of these objectives; to obtain elevated access and/or to gain unauthorised access to the sensitive information.
Often, businesses with online presence especially the payment systems pose a bigger risk. Attackers are targetting applications to gain attention by uncovering flaws in major retailers, banks and/or other online businesses. Demonstration of risks in this scenario is pretty realistic and has been gaining speed both from new attack vectors and covering old risks perspective. In a way this is encouraging staff to tackle security issues before they spiral out to cause damage of reputation or any related implications at legal level.
We have a dedicated security assessments FAQ section. Read it here.
The assessment-execution phase is followed by the analysis & reporting. Defendza performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.
The business logic for the entire application must be reviewed. This is only possible after gaining an understanding of how the application behaves for different privilege levels. From the threat-modelling phase and the knowledge gained, our consultants will be in the position to exploit business logic level vulnerabilities that are often overlooked by the developers
Our consultants would focus on the top 10 categories of attacks defined by the industry-standard OWASP. This includes:
Authentication and authorization problems are prevalent security vulnerabilities. Most mobile apps implement user authentication. Even though part of the authentication and state management logic is performed by the back end service, authentication is such an integral part of most mobile app architectures that understanding its common implementations is important.
Web server hosting of the application is also considered a vital component during this testing. A weakness in supporting infrastructure including the configuration of the webserver could lead to a slight compromise of the application hosted on it.
This phase helps to
This is an important step towards gathering as much information as possible about the target application. This includes passively fingerprinting the CMS and obtaining data cached in Google about the technologies /web pages in use. Any data obtained during this phase helps plan the entire pentest properly
Our reports are comprehensive and include all the evidence that supports our findings. We give you a risk rating that considers how likely an attack is as well as the impact it could have. We don’t create panic scenarios. Our mitigation is detailed, covering both strategic and tactical areas to help our clients prepare a remediation plan.
Apart from the range of commercial and open source tools available for specific testing, our team has its own custom scripts for efficient testing. We provide accurate results to make sure our clients completely understand any vulnerabilities we report.
Our teams are led by veteran security consultants accredited by CREST standards for the last several years. Our experience shows that our clients are best served by giving them the right advice for their cyber security needs. We do not believe in spreading fear, uncertainty and doubt to generate more business.
