(Web) Application Security Audit / Review
 
 
 

(Web) Application Security Audit - a technical in-depth security audit of a (web) application

The vast majority of present security vulnerabilities can be exploited because of flaws inside of applications. In order to make sure that an application fulfills the demanded security requirements, it should be tested for vulnerabilities on a regular basis.

Web Application Security Audit

Web applications have become one of the main targets of hacking attempts. What is the reason? Over the years the websites evolved from statical websites to complex and dynamic web applications which offer much more functionality than simply rendering text content. Nowadays you can use web applications to work with large and complex applications like SAP and also administrate your embedded DSL router at home as well. The fields of application are numerous. This flexibility was only possible due to many technical extensions like the bidirectional user communication, the management of user sessions etc. However, every extension increased the risk of security vulnerabilities.

Our Services

Vulnerability assessment

During an application assessment our auditors utilize methodologies and techniques which are also used in real hacking attempts. Depending on the audit scope the following tests could be part of an application audit:

  • Assessment of security relevant functions and mechanisms
  • Automated and manual source code review
  • Comparison of the documented functionality and the functionality that is actually implemented

In the case of a Web Application Security Audit we test web applications among others for the OWASP Top Ten. The “Open Web Application Security Project” (OWASP) is an open community, which has the mission to make application security visible, so that people and organizations can make informed decisions about true application security risks. The “OWASP Top Ten” is an acknowledged consensus of security experts that defines the top ten of the most serious web application vulnerabilities. The following list shows the current stable version.

OWASP Top Ten

  1. Cross Site Scripting (XSS)
  2. Injection Flaws
  3. Malicious File Execution
  4. Insecure Direct Object Reference
  5. Cross Site Request Forgery (CSRF)
  6. Information Leakage an Improper Error Handling
  7. Broken Authentication and Session Management
  8. Insecure Cryptographic Storage
  9. Insecure Communications
  10. Failure to Restrict URL Access


Impact analysis of vulnerabilities

In order to analyze the impact of a vulnerability, the auditors exploit discovered security flaws and try to attack the surrounding IT infrastructure. This offers the opportunity to identify additional vulnerabilities which are indirectly linked to the web application.


Assessment from differing perspectives

  • Users without access permissions (unprivileged)
  • Users with extended access permissions (privileged)

The client defines the information level parameters of both parties (tester and administrators/users):

Approach Description
Black Box

The testers do not have prior audit knowledge about the systems to be tested. The objective is to assess the information leak.
White Box

The testers obtain all and detailed information of the systems to be audited. The objective is to simulate an attack with insider information.
Gray Box

The testers obtain partial information of the systems. The objective is close to the black box approach. But this approach allows to speed up the audit by avoiding wasting precious project time.


Comprehensive audit reports

  • In the report you get a realistic estimation of the threat potential
  • The audit results are edited in a way, that the next action required becomes directly apparent
  • For every discovered vulnerability we propose solutions, so that you can quickly start to resolve the issue
  • As an option, the report can be written OSSTMM-compliant


Questions you are able to answer after a (Web) Application Security Audit:

  • Are vulnerabilities in the (web) application?
  • Are the currently taken security measures in accordance to the state of the art?
  • Which attack vectors are available to attackers?
  • What impact has a vulnerability in the (web) application for the IT infrastructure?
  • What can be done, to improve the security of the (web) application? 

A (Web) Application Security Audit allows to guarantee a high level of security. Due to according measures you safe the users of your (web) application, the (web) application itself, your IT infrastructure as well as your company form the consequences of a hacking attack.


Beyond (Web) Application Security Audits

In cooperation with our customers we constantly try to improve the security of web applications. Therefore, OneConsult offers special trainings for web application security and secure software development. Starting with common approaches you learn how to attack a web server, a web application itself as well as backend systems like databases. In our hands-on trainings you will perform the single steps of recent attacks and experience the attack paths of a real hacker. Finally you will discuss possible countermeasures mitigating attacks and learn the basics of secure software development.

If you're interested in OneConsult and you'd like a no-obligation consultation or more information, please contact us. Our staff members regularly speak and write on application security. The associated presentations as well as articles published in the specialist media can be found here.


Further Information

 
  © 2010 OneConsult GmbH
All rights reserved.
     
Contact Terms Sitemap Deutsche Version Home