Application
Security

Approach To Assessing Your
Enterprise Application Universe

In order to provide an accurate and holistic snapshot of your enterprise application health, we deploy automated and manual assessment methodologies. Scope of our assessment encompass:

Process

Identifying & Analyzing Security Gaps In Mission Control

Process

Identifying & Analyzing Security Gaps In Mission Control

Tools & Tech

Application Technology Checkpoints To Ascertain Their Integrity

A comprehensive and a “Real-Time” check on the technical security controls in place at the organization.

Run diagnostic tests on the scope. Activities include Network and Application Level Vulnerability Assessments /Penetration Testing, Network Security Review, Firewall Rule Reviews, etc.

Use Penetration Testing derived from the OSSTMM, and PTES standards, performing comprehensive Application/Product tests on the scoped application.

Comprehensive coverage of all OWASP Top 10 application vulnerabilities such as Cross-site scripting, SQL injections, HTTP response splitting, Parameter tampering, Hidden field manipulation, Backdoors/debug options, Stealth commanding, Session fixation, Automatic intelligent form filling, Forceful browsing, Application buffer overflow, Cookie poisoning, Third-party misconfiguration, HTTP attacks, XML/SOAP tests, Content spoofing, LDAP injection, and XPath injection.

Test Cases for modern websites using JavaScript, Macromedia Flash, AJAX, Java Applets, ActiveX, etc.

Business logic verification and testing: Business Rule Vulnerabilities allow the attacker to misuse an application to circumvent any business rules, constraints, or restrictions put in place to properly complete processes. The Logical attacks focus on the abuse or exploitation of a web application’s logic flow.

We combine automated testing with expert validation & custom exploitation.

Create vulnerability tracker sheets that list down the uncovered vulnerabilities per application or IP address.

Create detailed test reports at the end of the execution phase, recording the results, and sharing required suggestions and recommendations.

People

Ensuring User Awareness Of Cyber Security Practices

Launch harmless security attacks on segments of employees (with prior intimation and consent of Injazat/Injazat Key Account stakeholders) to ascertain their levels of security awareness.

Conduct discussions with the key application stakeholders at the organization to analyze and review associated vulnerabilities.

Discussions with the stakeholders and support team to evaluate the levels of “Business As Usual” operational level knowledge on security.

Focus On Our Testing Methodology

Our Testing methodology is inspired from the SANS’ 4 stage- Reconnaissance, Mapping, Discovery (Vulnerability Assessment) and Exploitation (Penetration Testing) methodology.

  • Combined with the appropriate (about 60:40) mix of Automated: Manual Test Cases ensures the uncovering of deep-rooted security vulnerabilities (infrastructure and application perspective).
  • This, we have furthered with the learning and the guidelines stipulated by global industry best practices.

Reconnaissance & Mapping

1

Reconnaissance

The first step in a Vulnerability Assessment and/or Penetration Test, it’s also the most important process. In this phase, the testing team shall perform active and passive reconnaissance of the target system
2

Mapping

During the Mapping phase, we identify all the publicly available services running in the target system. In case of a Web Application Penetration Test, we discover all the pages, files, and directories present in the web application environment.
3

Highlighting Our Reconnaissance Techniques

  • DNS-based discovery, Port scanning, services discovery and identification of target system and target environment
  • Utilizing search engine information disclosure techniques like Google Hacking
  • Simulations of an attacker using Social networks to gather specific information

Vulnerability Discovery

Discovery – a critical phase of the Penetration Test, starts with the testing team identifying all possible vulnerabilities in the target system. Here, we utilize automated and manual discovery processes to identify the most deep-seated vulnerabilities – the result of:

  • Flawed coding practices
  • Non-secure configuration practices
  • Lack of user awareness (in case of Social Engineering attacks)

During web application Penetration Tests, we also perform Business Logic Security Testing, which identifies business logic flaws (not identifiable by any tool or automated vulnerability scanning).

Penetration Testing (Exploitation)

During Exploitation, the testing team launches exploits against the target system based on the vulnerabilities discovered in Discovery. Our exploitation techniques are predominantly manual, with a healthy combination of automated exploit tools at our disposal.

Aim of the Green Method proof-of-concept exploits –

  • Providing a comprehensive understanding of the vulnerabilities
  • The potential effect of these vulnerabilities manifesting in the target system

Reporting

The final phase of the Vulnerability Assessment and/or Penetration Test is the Analysis and Reporting, with the team developing the VAPT Report. The testing team analyzes and interprets the results of the test. Based on the understanding of the target system, the risk ranking of High, Medium, and Low is populated with the findings of the test. Subsequently, the report is delivered to the client.

Every report must have the following inclusions:

  • Executive Summary
  • Scope and Objective of the Work
  • Detailed Vulnerability Statistics
  • Risk Impact Analysis
  • Specific Vulnerability Information – with URL, Parameter, Attack Vector – Classification of Vulnerability with multiple Vulnerability References
  • Evidence of Exploit of Discovery (if any)
  • Recommendations

Let’s Secure The Integrity Of
Your Applications