Secure Software is a subset of quality software and reliable software. Applications with access to critical data were once shielded from the world, deep within the network, where information was protected by multiple layers of access controls and firewalls. With an increase in the need to share access to information with customers and across organizations, however, this shield has come down. There is now nothing more than a few lines of code separating the rest of the world from this critical data. Even more alarming, Web 2.0 technologies, such as AJAX, leave more of this code viewable as it runs directly in users’ Web browsers, exposing more of the application’s logic than traditional Web applications.
Headlines are stark reminders of what happens when these critical resources are not secured. An attacker is able to extract a database of critical information with nothing more than a Web browser using SQL injection. Additionally, phishing attacks, using cross-site scripting (XSS) or URL redirection, may deceive customers or employees into divulging sensitive information. Other web application vulnerabilities may allow an attacker to take control of the system hosting the web application and give them a platform for burrowing deeper into the corporate network. Making matters worse is that a key technology used to protect this critical data, SSL, allows an attacker to go undetected, since their attacks are encrypted as they pass through intrusion prevention and detection devices deployed at the perimeter, if these devices have not been properly configured to decrypt SSL traffic.
SecqureOne’s application security assessments utilize a multi-phased approach to examine the security postures of applications in their run-time state. SecqureOne’s experienced application security experts stay abreast of the latest attack trends and techniques and combine automated and manual testing to assist organizations in improving the security posture of their applications.
SecqureOne performs application security assessments using a three-phase methodology:
- Information Gathering
- Vulnerability Discovery
- Vulnerability Analysis
During the information gathering phase, a SecqureOne consultant gathers information about the application and its infrastructure. This will identify critical components, allowing the consultant to better understand the architecture of the application. This will improve the efficiency and focus of automated vulnerability scanning tools and manual testing used in the next phase.
During the vulnerability discovery phase, the consultant uses industry-leading commercial and open-source automated tools to map the application’s site structure and to identify “lowhanging fruit” vulnerabilities (those that are capable of easy detection and exploitation by an attacker with a modest skill set). Automated tools send a specially-crafted request with an attack string designed to trigger a signature to determine whether vulnerability is present. This automated testing accounts for 20 percent of the testing effort. Some of the vulnerabilities detected by automated testing include:
- Reflected cross-site scripting (XSS)
- Some SQL injection vulnerabilities
- Some path traversal vulnerabilities
- Some command injection vulnerabilities
- Directory listings
The consultant then uses manual testing to identify vulnerabilities that are beyond the scope of automated vulnerability scanning tools. Using a completely automated approach is not an effective strategy to detecting vulnerabilities in an application, as some vulnerabilities cannot be reliably detected with an attack string and signature. These types of vulnerabilities require a human to observe and understand the logic occurring behind the scenes, within the code of the application. Manual testing accounts for 80 percent of the testing effort, and this is what differentiates SecqureOne in the industry. Some of the vulnerabilities detected by manual testing include:
- Broken access controls
- Logic flaws in multi-step transactions
- Weak password requirements
- Account enumeration through differing application behavior
- Flaws in “forgot password” or self-registration features
- Weak session management leading to session hijacking
- Leakage of sensitive or technical information
- Escalation of privilege for different user roles
- Blind SQL injection vulnerabilities that scanners often miss
- Script injection vulnerabilities (XSS) that scanners often miss
Testing from both an authenticated and unauthenticated perspective is recommended in order to completely identify the attack surface that would be available not only to external attackers, but also to malicious users with a valid login.
Finally, during the vulnerability analysis phase, the consultant validates automated testing results and correlates this information with manual testing results. The consultant manually validates all findings to remove any false positives and to determine the context and relationship between the discovered vulnerabilities. The consultant then writes a causality based vulnerability report using the findings. This is the most effective method to classify vulnerabilities, as it identifies the root cause of the vulnerability. The report also provides actionable recommendations for risk remediation or mitigation, as well as technical impact details and attack scenarios (if applicable). This gives the client an opportunity to get the complete results of the assessment.
Let’s Talk for additional information or assistance.