Application security assessment
The pressure to rapidly develop and roll-out business applications often leads to poor or no security testing, resulting in vulnerable applications being used in production environment. Meanwhile, exploitation of vulnerabilities in web-based applications is currently method favourite among hackers who frequently exploit web-applications to gaining access to sensitive information.
Application security assessment is a comprehensive security analysis of client’s business application. If your organisation plans to launch a new business application, you should definitely perform application security assessment, including application penetration testing. This is especially important if your application provides or processes sensitive information, financial transactions or runs critical business functions for your organisation.
Depending on approved scope the application assessment includes application architecture review, security analysis of an application source code, vulnerability research through reverse engineering and penetration testing, stress testing and analysis of application components. It may also include audit of conformance to specified security standards, company’s policies and security architecture as well as initial security requirements.
The following application vulnerabilities are often discovered and fixed as a result of more than 70 application security testing scenarios:
- Injection flaws (e.g. SQL, LDAP, OS command, XPath, XQuery, XSLT, XML)
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Improper authentication or session management
- Improper access control
- Missing encryption or improper use of cryptographic algorithm
- Information exposure through an error message
- Open redirects
- Failure to restrict URL access
- Insecure direct object references or path traversal
- Buffer overflows