Application Security

Approach To Assessing Your Enterprise Application Universe

In order to provide an accurate and holistic snapshot of your enterprise application health, we deploy automated and manual assessment methodologies. Scope of our assessment encompass:

Process

Identifying & Analyzing Security Gaps In Mission Control

Tools & Tech

Application Technology Checkpoints To Ascertain Their Integrity

A comprehensive and a “Real-Time” check on the technical security controls in place at the organization.

Test Cases for modern websites using JavaScript, Macromedia Flash, AJAX, Java Applets, ActiveX, etc.

Create vulnerability tracker sheets that list down the uncovered vulnerabilities per application or IP address.

Run diagnostic tests on the scope. Activities include Network and Application Level Vulnerability Assessments /Penetration Testing, Network Security Review, Firewall Rule Reviews, etc.

Business logic verification and testing: Business Rule Vulnerabilities allow the attacker to misuse an application to circumvent any business rules, constraints, or restrictions put in place to properly complete processes. The Logical attacks focus on the abuse or exploitation of a web application’s logic flow.

Use Penetration Testing derived from the OSSTMM, and PTES standards, performing comprehensive Application/Product tests on the scoped application.

We combine automated testing with expert validation & custom exploitation.

Create detailed test reports at the end of the execution phase, recording the results, and sharing required suggestions and recommendations.

Comprehensive coverage of all OWASP Top 10 application vulnerabilities such as Cross-site scripting, SQL injections, HTTP response splitting, Parameter tampering, Hidden field manipulation, Backdoors/debug options, Stealth commanding, Session fixation, Automatic intelligent form filling, Forceful browsing, Application buffer overflow, Cookie poisoning, Third-party misconfiguration, HTTP attacks, XML/SOAP tests, Content spoofing, LDAP injection, and XPath injection.

People

Ensuring User Awareness Of Cyber Security Practices

Launch harmless security attacks on segments of employees (with prior intimation and consent of Injazat/Injazat Key Account stakeholders) to ascertain their levels of security awareness.

Conduct discussions with the key application stakeholders at the organization to analyze and review associated vulnerabilities.

Discussions with the stakeholders and support team to evaluate the levels of “Business As Usual” operational level knowledge on security.

Focus On Our Testing Methodology

Our Application Vulnerability Testing methodology is inspired from the SANS’ 4 stage- Reconnaissance, Mapping, Discovery (Vulnerability Assessment) and Exploitation (Penetration Testing) methodology.

Combined with the appropriate (about 60:40) mix of Automated: Manual Test Cases ensures the uncovering of deep-rooted security vulnerabilities (infrastructure and application perspective).
This, we have furthered with the learning and the guidelines stipulated by global industry best practices.

Reconnaissance & Mapping

Reconnaissance

The first step in a Vulnerability Assessment and/or Penetration Test, it’s also the most important process. In this phase, the testing team shall perform active and passive reconnaissance of the target system

Mapping

During the Mapping phase, we identify all the publicly available services running in the target system. In case of a Web Application Penetration Test, we discover all the pages, files, and directories present in the web application environment.

Highlighting Our Reconnaissance Techniques

DNS-based discovery, Port scanning, services discovery and identification of target system and target environment
Utilizing search engine information disclosure techniques like Google Hacking
Simulations of an attacker using Social networks to gather specific information

Vulnerability Discovery

Discovery – a critical phase of the Penetration Test, starts with the testing team identifying all possible vulnerabilities in the target system. Here, we utilize automated and manual discovery processes to identify the most deep-seated vulnerabilities – the result of:

Flawed coding practices
Non-secure configuration practices
Lack of user awareness (in case of Social Engineering attacks)

During web application Penetration Tests, we also perform Business Logic Security Testing, which identifies business logic flaws (not identifiable by any tool or automated vulnerability scanning).

Penetration Testing (Exploitation)

During Exploitation, the testing team launches exploits against the target system based on the vulnerabilities discovered in Discovery. Our exploitation techniques are predominantly manual, with a healthy combination of automated exploit tools at our disposal.

Aim of the Green Method proof-of-concept exploits –

Providing a comprehensive understanding of the vulnerabilities
The potential effect of these vulnerabilities manifesting in the target system

Reporting

The final phase of the Vulnerability Assessment and/or Penetration Test is the Analysis and Reporting, with the team developing the VAPT Report. The testing team analyzes and interprets the results of the test. Based on the understanding of the target system, the risk ranking of High, Medium, and Low is populated with the findings of the test. Subsequently, the report is delivered to the client.

Every report must have the following inclusions:

Executive Summary
Scope and Objective of the Work
Detailed Vulnerability Statistics
Risk Impact Analysis
Specific Vulnerability Information – with URL, Parameter, Attack Vector – Classification of Vulnerability with multiple Vulnerability References
Evidence of Exploit of Discovery (if any)
Recommendations