Application Vulnerability Assessment
 |
Intended vs. Implemented Behavior While most functional bugs are the result of missing functionality, most security bugs are the result of extra functionality. Functionally Correct vs. Secure Software can meet every requirement and perform every specified action flawlessly yet still be exploited by an attacker. In order to locate and prevent security bugs, developers and testers have to think differently. Our vulnerability assessment practice uncovers security vulnerabilities that are the result of unintended application behavior. We rank them based on their impact to the organization, giving managers the intelligence they need to proceed with their lockdown in efficient manner. |
Application Testing
This objective of this security assessment is a to get a clear definition of where vulnerabilities reside and the magnitude of the exposure. The result is a deep understanding of the application's attack surface and its potential resilience. This knowledge may be used to guide development teams in more robust development practices, or to guide the vendor selection process for subsequent application or maintenance purchases.
Web applications add several dimensions to the testing process and include consideration for the technologies used to deploy the application, the languages used to develop the user interface, and the browser technologies employed to use the application. For both web and non-web applications, we follow a similar three step process:
| Phase 1 | Using sophisticated threat modeling techniques, our security team identifies the areas that attackers will likely exploit and determine the magnitude of the loss should those areas be penetrated. The modeling activity prioritizes the testing activities and highlights the areas where attacks could do the most damage, guiding the testing process for greatest effect. |
| Phase 2 | Led by the prioritized threat model, the application security team engages in test plan development followed by aggressive application penetration testing, applying not only the well known attacks and techniques that a hacker would typically employ, but also specialized attacks developed by Security Innovation to uncover deeper hiding vulnerabilities. |
| Phase 3 | The application security team generates a detailed report that includes the complete threat model, the test methodology, the detailed findings for each identified threat area and severity ratings. The findings, along with appropriate remediation recommendations, are presented in a report and presented in person to the risk management team responsible for the application. |
Rapid Web Assessment
Fast and hard-hitting, this service allows organizations to quickly understand the level of exposure their web applications present - and decide whether or not to dive deeper and/or take appropriate mitigation steps. The fixed-price service leverages Watchfire AppScan™ automated tooling to test web applications and generate reports. Security Innovation engineers analyze and enhance the reports and present the results to the customer.
The result of the Rapid Web Assessment process is a basic understanding of the level of exposure the deployed web application presents. This knowledge may be used to determine the next steps for the deployed applications lifecycle, be it deeper testing, rebuilding and redeploying, replacing it with another vendors application or taking it out of service completely. :: more>>
Code Review
The Security Innovation Code Review provides an analysis of an existing codebase and locates code constructs that lead to security vulnerabilities. Our expert security team employs a combination of static analysis tools and “eyes on” review to uncover the highest number of flaws possible. Code reviews may be executed against C, C++, C#, VB, VB.Net and Java applications.
The result of the Code Review is a detailed report outlining code issues and suggested repairs for security. This will allow your development team to better understand the problem areas of their code and prevent common logic errors and other mistakes in the future.
