Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Application Security - SoftServe United Blog

advertisement 
Application Security
Consulting Service Datasheet
Business problem
Data loss has become a common risk for any organization. Apart from damaging enterprise’s public image, it
may cause the loss of trust and confidence with company`s customers. As soon as an application exposes data
to users, there appears a risk of vulnerabilities – data leakages, uncontrolled access to protected data, business
compromising, as well as the breakdown of operations. All of these may lead to heavy penalties to a company.
Quite often application security is overlooked during security planning. If application security is not tested during
the main phases of the development process and the level of code quality isn’t the highest, applications are
susceptible to exploitation by both internal and external attackers.
Consider also the fact that the rapid development of e-commerce and corporate web services has led to the
popularization of breaking into an organization through external resources, mostly through the web. As more and
more web-applications are coming up every day, many companies are unable to find time to keep the proper level
of web application security. Through broken web applications attackers can gain access to sensitive data, such as
credit card numbers, customer data, details of business transactions and more.
Approach
SoftServe conducts application testing in one to two modes: Black-box security testing or White-box testing.
During the assessment we also review all compiled and installed elements of the product infrastructure and focus
on how the application components are deployed. We communicate or otherwise interact with both the user and
server environments.
Test
planning
Meeting with
customers
Align rest goals
and scope
Intelligence
gathering
Attack vector
identification
Penetration
attempt
Collect information
about system being
tested
Exploit testing
for found
vulnerabilities
Potential weakness
analysis
Exploiting
Developing attack
scenario
Bypassing
protection
Post
Exploitation
Escalating
privileges
Infrastructure
analysis
Artifacts analysis
Covering tracks
Providing
Reports and
Recommendation
Create report
for system owner,
including found
vulnerabilities and
recommendations
how to eliminate
them
Cleanup
Application Security
1
Consulting Service Datasheet
Our expertise is based on internationally recognized methodologies of application security assessments, such as:
▪▪ OWASP Application Security Verification Standard
▪▪ Information Systems Security Assessment Framework (OISSG)
▪▪ The Open Source Security Methodology Manual (OSSTMM)
▪▪ ISACA Switzerland – Testing IT Systems Security With Tiger Teams
▪▪ Cybersecurity Vulnerability Assessment Methodologies (Cybersecurity VAMs)
A Codebase Security assessment is performed via a static and dynamic analysis with the aid of code scanning
tools and standardized OWASP methodology (others such as NIST, MITRE possible). Security checklists by
technology vendors are also applied (by MSDL, Oracle/Sun).
This application security assessment according to the Software Development Lifecycle could be applied on
different phases of the project:
Requirements
Establish Security Requirements
Requirements
Create Quality Gates/Bug Bars
Requirements
Security and Privacy Risk Assessment
Design
Establish Design Requirements
Design
Analyze Attack Surface
Design
Threat Modeling
Implementation
Use Approved Tools
Implementation
Deprecate Unsafe Functions
Implementation
Static Analysis
Verification
Dynamic Analysis
Verification
Fuzz Testing
Verification
Threat Model and Attack Surface Review
Release
Incident Response Plan
Release
Final Security Review
Release
Release Archive
Response
Execute Incident Response Plan
A detailed code review is conducted to find vulnerabilities on the source code level. Using a manual code review
and testing detected security holes, our experts create a detailed report about what gaps are found, how they can
be used, and a roadmap of improvements which should correct all of the discovered gaps when completed.
We divide the static analysis as follows:
▪▪ Analysis of the source code
▪▪ Analysis of the byte code of .NET/C++/Java
▪▪ Analysis of the raw binaries of a compiled application
Our web application testing process identifies weaknesses and vulnerabilities in web applications and provides
remediation methods that will work for your specific business. We emulate “real attacks” via vast and various
Application Security
2
Consulting Service Datasheet
tests to help you strengthen your web application security. Many tests performed include, but are not limited to:
▪▪ Improper Client Session Handling
▪▪ Parameter Manipulation
▪▪ Buffer Overflows/Underflows
▪▪ Dangling Pointers
▪▪ Fuzzing
Output & Deliverables
Upon completion of this assessment service, we create a report with the key findings and recommendations.
These recommendations will provide information on how to achieve better quality software.
▪▪ Risk vulnerabilities and recommendations on how to correct them
▪▪ Archive with extracted data files and logs
▪▪ Conference Calls
▪▪ Post assessments consulting
▪▪ Code review reports
▪▪ Architecture score and comparison with reference architecture
▪▪ Features and a quality weighted scoring of your application compared to direct rivals
▪▪ Security vulnerabilities and risks
▪▪ Security architecture, code, and documentation review against OWASP top 10 vulnerabilities and MITRE/
SANS top 25 programming errors
▪▪ Security threat modeling
Value Proposition
SoftServe’s desktop and website security consulting provides the following benefits:
▪▪ A true understanding of the application security posture and how to improve it
▪▪ Insight into how well your development team followed the secure software development life cycle
▪▪ Avoid/Reduce/Transfer and mitigate security breach risks
▪▪ Making proper strategic decisions, based on actual risks
▪▪ Avoiding security incidents and confidential data loss
▪▪ Improving software quality from a security point of view
SoftServe Inc.
US Headquarters
12800 University Drive, Suite 250
Fort Myers, FL 33907
USA
Application Security
Europe Headquarters
Toll Free: 866 687 3588
Tel: 239 690 3111
Fax: 239 690 3116
52 V. Velykoho St.
Lviv, 79053
Ukraine
Tel: +380 322 409 090
Fax: +380 322 409 080
E-mail: info@softserveinc.com
Web: www.softserveinc.com
3
Related documents
10 General Security Rules
10 General Security Rules
Section 3 Directives & Best Practices
Section 3 Directives & Best Practices
Application Security 101
Application Security 101
Web Security: Deep Dive
Web Security: Deep Dive
Chapter 1 Security Problems in Computing
Chapter 1 Security Problems in Computing
Vendor security questions
Vendor security questions
How to Protect Yourself - Yen
How to Protect Yourself - Yen
Student Guide & Problem Statement
Student Guide & Problem Statement
I think FUD 77
I think FUD 77
Vulnerabilities and Failures of Complex Systems*
Vulnerabilities and Failures of Complex Systems*
Reducing the Effort to Comprehend Risk Models: Text Ida Hogganvik Grøndahl,
Reducing the Effort to Comprehend Risk Models: Text Ida Hogganvik Grøndahl,
GAO INFORMATION SECURITY Better Implementation
GAO INFORMATION SECURITY Better Implementation
Download
advertisement