|
Application Security Audit / Review
Positioning: All-encompassing security audit of
an application, taking account of technical and/or organizational
issues.
The vast majority of the security vulnerabilities
that can be exploited today are based on errors or vulnerabilities
in programs. Software can only be considered (relatively) secure if the relevant
security aspects were taken fully into account during its design, development and operations phase.
Typical application samples to be tested by means of an application security audit
- Databases
- Web applications (eCommerce solutions like online shops or online banking platforms)
- Distributed applications (multi tier applications with separated presentation, business and database layer)
- etc.
Recommendation
During an application security audit, our security experts
test the security level of an application from a holistic perspective.
An application can normally only be as secure as the environment
in which it is operated. For this reason, we recommend first carrying
out a penetration test
on the system components that interact closely with the actual application,
such as:
- Operating systems (client, server and network components located
between the components)
- Web servers
- Databases
- etc.
Procedure
Depending on the remit, the procedure might be as follows:
- Review of documentation and control processes
- Comparison of the functionality defined in the documentation
with the functionality that is actually implemented
- Automated and manual review of the source code
- Attacks on client and server components with the aim of affecting
the confidentiality, availability, integrity and trustworthiness
of data and services
Our security experts know how skilled (and less skilled) potential
attackers work, and use the same attack methods and tools to test
the security of the client's system. These include:
- Stack- und Heap Corruption
- Input- und Logfile Poisoning
- Network Sniffing / Man in the middle
- API Monitoring
- Reverse Engineering / Debugging / Decompilation
- Client Bypassing
- Social Engineering
- Profiling Detection Evasion
- Session Analysis/Manipulation
- Hijacking
- Phishing / DNS Hijacking
- Input Validation/Manipulation
- SQL/Script Injection
- Spoofing
- Identity Stealing
- Iframe
- XSS Cross Side Scripting
- Webbugs
It is not always possible to close all the security loopholes that
are detected, especially when they originate in the design or in
vulnerable system calls or services.
Benefits for the client
- Security loopholes and potential weaknesses that are detected
are immediately reported to the contact (if required), together
with a proposed solution. This procedure is suitable for iterative
application hardening.
- We will not issue a "this application is secure" stamp,
since no software is 100% secure. However, it is possible to configure
a software product in such a way that the effort involved for
a potential attacker is too great to justify the rewards. This
is an approach that is also used in areas such as cryptography.
- The client receives a comprehensive and substantial final report,
including a list and assessment of the remaining risks and suggestions
for appropriate countermeasures, thus enabling proactive risk
management.
If you're interested in OneConsult and you'd like
a no-obligation consultation or more information, please contact
us. Our staff members regularly speak and write on application security. The associated presentations
as well as articles published in the specialist media can be found here.
Further Information
| 
