Assess your application security with Fiducia X
As many as 70% of web sites have vulnerabilities that could lead to the theft of sensitive corporate data such as credit card information and customer lists among others.
Hackers are concentrating their efforts on web-based applications – shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7/365 from anywhere in the world, insecure applications provide easy access to backend corporate databases.
FIREWALLS, SSL AND LOCKED-DOWN SERVERS ARE FUTILE AGAINST APPLICATION HACKING!
Application attacks, launched on port 80/443, go straight through the firewall, past operating system and network level security, and right in to the heart of your application and corporate data. Web-based applications are often insufficiently tested, have undiscovered vulnerabilities and are therefore easy prey for hackers with malicious intent.
IF WEB APPLICATIONS ARE NOT SECURE, THEN YOUR ENTIRE DATABASE OF SENSITIVE INFORMATION IS AT SERIOUS RISK. WHY?
- Websites and related applications must be available 24 x 7 to provide the required service to customers, employees, suppliers and other stakeholders.
- Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public.
- Web applications often have direct access to backend data such as customer databases and, hence, control valuable data and are much more difficult to secure.
- Tailor-made applications are more susceptible to attack because they involve a lesser degree of testing than off-the-shelf software (as a general guideline).
- Malicious hackers prefer gaining access to the sensitive data because of the immense pay-offs in selling the data.
WHAT ARE APPLICATION SECURITY RISKS?
Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.
Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may range from nothing, all the way through putting you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization. Together, these factors determine the overall risk.
Fiducia X is here to help secure your application
Fiducia X’s Application Security Assessment is a security audit, performed by experienced and certified security professionals. A key feature of the service, and one which cannot be covered by relying solely on automated testing, is application security testing.
The service is designed to rigorously push the defences of network infrastructure and applications. It is suitable for commissioning, third party assurance, post-attack analysis, compliance audits and regulatory purposes where independence, security, reliability and quality of service are important requirements.
A final written report provides an analysis of any security or service problems discovered together with proposed solutions, links to detailed advisories and recommendations for improving the security of the service being tested.
The Application Security Assessment can be used to ensure compliance with PCI DSS (penetration testing) as it includes both network and application layer testing.
AREAS COVERED BY THE APPLICATION SECURITY ASSESSMENT:
- Configuration errors
- Application loopholes in server code or scripts
- Advice on data that could have been exposed due to past errors
- Testing for known vulnerabilities
- Reducing the risk and enticement to attack
- Advice on remediation of discovered vulnerabilities and future security plans
TYPICAL ISSUES DISCOVERED IN AN APPLICATION SECURITY ASSESSMENT:
- Injection
Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
- Cross Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
- Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.
- Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
- Cross Site Request Forgery
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
- Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.
- Insecure Cryptographic Storage
Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.
- Failure to Restrict URL Access
Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.
- Insufficient Transport Layer Protection
Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.
- Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Cost & Duration
The duration of a test depends on the size and complexity of an application, but can start from a single day. To discuss your particular requirements and associated costs, please contact Fiducia X.