Application Security is Often Overlooked
Improperly configured and/or controlled applications are targets for attackers. Almost all modern computer applications are Internet enabled and tie into networks of databases. Hence, there can be a direct line from a simple home accounting program to high value data. The hacking community has found attacking an application is often less complex than attacking a mainframe or network, resulting in easy access to personal information, such as billing addresses, credit card information or any number of personal information fields that make crimes like identity theft, credit card fraud or information brokering simple.
Application security testing lets you know, ideally before an application goes live, if it is vulnerable to compromise by an attacker from the outside, or from within. Is the application vulnerable to hacking, SQL Injection or Cross Site Scripting? Before you trust confidential customer data to an ASP (Application Service Provider), it is imperative you make sure the application was properly tested for vulnerabilities. GDF can test an application for vulnerabilities, help secure it and ensure your organization’s data is substantially more secure.
Application Security Assessment Protocol
Analysis and Review
The first step is to gain a thorough understanding of the application and its use, and the types of data that might be exposed to threat. We also review vendor’s security policies and certification, or audit any available related documents they may have, i.e. SAS70.
We perform a thorough physical inspection of the data center and its equipment. If a certification such as SAS70 is not available, GDF will visit the physical location of the data center to review policy and procedure, verify the existence of security devices, and interview key security personnel in order to formulate a basic rating of both the physical security and vendor’s ability to maintain reasonable security levels.
Application Security Analysis
We review the application source code, and the security implementation for the application will be thoroughly reviewed and rated. We review and test methodologies and implementation of any database connections for possible exploits or security flaws, as well as the code used to work with client data. After thoroughly examining the code, we attempt to compromise (break into) the application and related systems. An overall rating on the application’s security is generated, as well as detailed recommendations for improvement.
Authentication Methodology Review
We perform a review of the technologies used to authenticate users and protect data in transit, and review the policies governing authentication from both the vendor’s perspective and the client’s internal policies to ensure best practices are being followed. We then test the authentication security by full-on penetration testing.
GDF provides the client an overview of the overall security model and its implementation, including detailed recommendations on improving the overall security model. Suggestions will be documented to improve and maintain the authentication model of the application. Finally, we follow-up to ensure suggestions were implemented correctly and best practices are being followed.
Networked Application Security
Organizations that use ASPs and don’t host their own applications should be aware if the hosted application was tested. Once an organization decides to trust an ASP with its data, the diligent and prudent practice would be to have the ASP security test the application(s) and supply a copy of the resulting report to the organization for review. This process allows an organization to thoroughly understand the risks and affords an opportunity to take appropriate measures.
Many clients opt to have GDF test any application that is hosted by an ASP and may contain sensitive data. As in any situation, prevention is far less costly than an emergency response. We test:
- Server Configurations
- Session Management Security
- Cookie Poisoning
- Cross Site Scripting
- CGI Manipulation
- Buffer Overruns/Overflows
- Weak Passwords
- ACL Integrity
- Command Injection
- Forceful Browsing
- Cryptography Configuration
- Hidden and Form Field Manipulation
- And much more…