Back to Top

Applications

Most corporate environments or Internet platforms host a variety of in-house developed and commercial off the shelf applications. It is therefore important to understand that these can exponentially increase the attack surface of the organisation. Most organisations realise that it is essential that applications that host sensitive information assets are the subject of individual security assessments to ensure that they cannot be compromised by unauthorised threats, or manipulated in an unexpected way by the authorised user population.

Applications are one of the very foundations of business processing and are used in virtually every area of an organisation’s function today. Whether a web-facing application used in a business to business extranet, an online store, an internal document or case management system or a management information system, an application normally drives user access to data and business functions.

Applications come in a number of different forms, ranging from standard web-apps through to custom or off-the-shelf client / server software. Through applications’ diversity and prevalence within an organisation, an additional attack vector is introduced which an attacker can use to gain unauthorised access to information assets or to affect the integrity or availability of key business functions. It is therefore important that a business fully understands the risks regarding its applications and whether there is a possibility that its information assets can be compromised via authorised or rogue access to them.

Our application testing services follows a number of best practice guides and methodologies, including the Open Web Application Security Project (OWASP) and the Open Source Security Methodology Manual (OSSTMM) and focusses on profiling applications not only against well-established measures but new and emerging threats in addition to those that might be specific to the applications .

Digital Assurance completely customise the type of testing performed, based on the specific needs of the customer and in-depth understanding of the security of the platforms and languages employed in an application.

Using a mixture of automated vulnerability identification and step-by-step manual analysis, our application testing methodology is designed to effectively identify a high number of application security issues and in summary includes the following steps: -

  • Application Mapping and Enumeration – Mapping the web application across each level of access to understand how it works and the various areas of functionality that comprise it;
  • Vulnerability Identification – Identification of common and application-specific bespoke vulnerabilities (compromising business logic) within the application. This phase aims to identify problems with the application that could be used to compromise its functionality and logic, information assets stored within the environment that are otherwise inaccessible, or the underlying systems and networks;
  • Exploitation – where agreed with the client, controlled exploitation attempts will be undertaken to determine whether it is possible to compromise the application vulnerabilities. Examples would include accessing otherwise unauthorised areas of the application, restricted information assets or Operating System functions;
  • Further Access – In a similar fashion to the infrastructure testing, a review of the level of access is completed and attempts are made to utilise this to increase privileges to the application, database, Operating System or network.

The deliverable from the project shall be a report that outlines the key areas of risk to the application, alongside detailed information pertaining to individual vulnerabilities with practical and pragmatic recommendations that the developers can use to effectively mitigate them.

An organisation will gain significant return on investment through engaging a consultancy to deliver an application security assessment