Application Security

Green Method has devised approach and model for Vulnerability Assessment and Penetration Testing of the applications that ensures that the customer is provided with an accurate and exhaustive snapshot of the state of the information security of IT applications from a technical as well as business stand points.

Green Method would deploy automated as well as manual assessment methodologies on the scope’s Process, Technology and People domains pertinent to the scope of work as detailed here:

Process

Process (Business Applications’ Operations)

  • An overall check on the allied Process and Operations level controls implemented at the organization from an Information Security perspective (pertinent to the scope of work)
  • Review the organization’s existing (assessed or derived) risk levels
  • Review of the current IT Policies and the associated Operating Procedures followed in the property and to review the effective functioning of the same from a core business application perspective
  • aGME would then design and compile a comprehensive set of organizational risk based controls (derived from Global Best Practices in the respective domain and the Abu Dhabi Risk Assessment Guide)
  • The compiled controls would then be evaluated and ranked against the existing implemented controls at the organization
  • The resultant differential (Gaps) would be ranked as per criticality and the feasibility of implementing them at the organization to be evaluated through discussions with the key stakeholders would be presented
Technology

Technology

  • A comprehensive and a “Real Time” check on the technical security controls in place at the organization
  • GME would run diagnostic tests on the scope mentioned above.Activities include Network and Application Level Vulnerability Assessments /Penetration Testing, Network Security Review, Firewall Rule Reviews etc
  • Our Penetration Testing process is derived from the OSSTMM and PTES standards and would perform a comprehensive Application/Product penetration testing on the scoped application
  • Comprehensive coverage of all OWASP Top 10 2013 application vulnerabilities such as Cross-site scripting, SQL injections, HTTP response splitting, Parameter tampering, Hidden field manipulation, Backdoors/debug options, Stealth commanding, Session fixation, Automatic intelligent form filling, Forceful browsing, Application buffer overflow, Cookie poisoning, Third-party mis-configuration, HTTP attacks, XML/SOAP tests, Content spoofing, LDAP injection, XPath injection
  • Test Cases for modern websites using JavaScript, Macromedia Flash, AJAX, Java Applets, ActiveX
  • Business logic verification and testing: Business rule vulnerabilities involve any type of vulnerability that allows the attacker to misuse an application in a way that will allow them to circumvent any business rules, constraints or restrictions put in place to properly complete the business process. The Logical attacks focus on the abuse or exploitation of a web application’s logic flow
  • Combination of automated testing with expert validation & custom exploitation
  • Create detailed test reports at the end of the execution phase recording the results and sharing required suggestions and recommendations
  • Create vulnerability tracker sheets that list down the uncovered vulnerabilities per application or IP address
People

People (Knowledge/ Awareness)

  • Launch Harmless Security Attacks on segments of employees (with prior intimation and consent of Injazat/ Injazat Key Account stakeholders) to ascertain their levels of security awareness
  • Conduct discussions with the key application stakeholders at the organization to analyze and review associated vulnerabilities
  • Conduct discussions with the stakeholders and support team to evaluate the levels of “Business As Usual” operational level knowledge on security

Green Method’s Testing methodology is inspired from the SANS’ 4 stage- Reconnaissance, Mapping, Discovery (Vulnerability Assessment) and Exploitation (Penetration Testing) methodology. This conceptual process in combination with the appropriate (about 60:40) mix of Automated: Manual Test Cases ensures the uncovering of deep-rooted security vulnerabilities from both an Infrastructure and Application perspective. We have included the learning and the guidelines stipulated by the Abu Dhabi Information Security Testing Guide in addition to industry best practices.

  • Reconnaissance
  • Mapping
  • Discovery (Vulnerability Assessment)
  • Exploitation (Penetration Testing) methodology
Reconnaissance and Mapping

Reconnaissance and Mapping

Reconnaissance is the first step in a Vulnerability Assessment and/or Penetration Test. It is also the most important process of the test. In this phase, GME’s testing team shall perform active and passive reconnaissance of the target system. During our Mapping phase, we identify all the publicly available services running in the target system, or in case of a Web Application Penetration Test, we discover all the pages, files and directories present in the web application environment. Our reconnaissance techniques include performing DNS-based discovery, Port scanning, services discovery and identification of target system and target environment. We also utilize search engine information disclosure techniques like Google Hacking and an attacker of the system would simulate the use of Social networks to gather specific information.

Vulnerability Discovery

Vulnerability Discovery

Discovery phase is a critical phase of the Penetration Test. In this phase, GME’s testing team identifies all possible vulnerabilities in the target system. We utilize automated and manual discovery processes to identify the most deep-seated vulnerabilities in the target system. Vulnerabilities in target systems may be the result of flawed coding practices, non-secure configuration practices or lack of user awareness (in case of Social Engineering attacks).

During web application Penetration Tests, we also perform Business Logic Security Testing that identifies business logic flaws that are not identified by any tools or automated vulnerability scanning tools.

Penetration Testing

Penetration Testing (Exploitation)

Exploitation phase is the phase, where GME’s testing team launches exploits against the target system based on the vulnerabilities discovered in the discovery phase. Our exploitation techniques are predominantly manual, with a healthy combination of automated exploit tools at our disposal. Our proof-of-concept exploits are aimed at providing a comprehensive understanding of the vulnerabilities and the potential effect of these vulnerabilities manifesting in the target system

Reporting

Reporting

The final phase of the Vulnerability Assessment and/or Penetration Test is the Analysis and Reporting. In this phase, GME’s testing team will develop the Vulnerability Assessment and Penetration Testing Report. The testing team will analyze and interpret the results of the test. Based on the understanding of the target system, the risk ranking of High, Medium and Low will be populated with the findings of the test and subsequently, the report is delivered to the client. The following shall be included in each report

  • Executive Summary
  • Scope and Objective of the Work
  • Detailed Vulnerability Statistics
  • Risk Impact Analysis
  • Specific Vulnerability Information – with URL, Parameter, Attack Vector
  • Classification of Vulnerability with multiple Vulnerability References
  • Evidence of Exploit of Discovery (if any)
  • Recommendations
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt