Application Penetration Testing and Application Security Services

A Growing Threat to Sensitive Data: Insecure Applications

Poorly coded applications put organizations at risk. A large amount of confidential consumer information lies within the application layer as more and more organizations develop applications to streamline internal processes and improve the customer experience. However, without making security an inherent part of the Software Development Life Cycle (SDLC), the risk associated with insecure applications far outweighs these gains in efficiency and customer satisfaction.

Secure128’s full suite of application security solutions delivered by an expert team of application specialists ensures that your application is tested and reviewed thoroughly. The application security team uses manual processes to test and review applications according to your needs. The result is specific guidance that can significantly improve the security of your applications. Traditional application testing with automated tools provides generic results that do little to combat the rapidly changing landscape of security exploits.

Application Penetration Testing

An application penetration test simulates an attack against an application to determine the effectiveness of its security controls. Performed by Secure128’s application security experts, the manual testing process probes an application much more thoroughly than automated assessment tools that can produce generic responses and excessive false positives. By thoroughly testing an application from a variety of authenticated- and unauthenticated-user perspectives, the Secure128 application penetration testing service highlights risks posed by exploitable vulnerabilities.

Secure128 application penetration tests evaluate an application's vulnerability to all known applications exploits including but not limited to:

• Cross Site Scripting
• Input Validation
• Authentication Bypass
• SQL Injection
• Buffer Overflow
• Input Manipulation

The intention of Secure128’s application penetration testing methodology is to demonstrate existing, exploitable vulnerabilities within an application that can lead to the compromise of critical data. Clients receive the results in a detailed deliverable including both tactical and strategic recommendations. The simulated attack aids clients in pinpointing flaws and mitigating the risk of data compromise.

Secure128 can perform thorough penetration tests of any application including but not limited to:

• Web Applications/Services - Web application interfaces are convenient, but an increase in risk accompanies this ease of use. Secure128’s application penetration testing service consists of a comprehensive test of the entire Web application and its supporting environment.
• Thin Client Applications - Thin-client applications run on the client machine but are primarily used to convey data from a central server, where the majority of processing and data controls are handled. Using Secure128’s experts to conduct testing of thin-client applications provides clients with a comprehensive test of the thin-client environment.
• Thick Client Applications - Thick-client applications run almost exclusively on the client machine, and server relationships are used only for storage or communication. Limited or no reliance on a server does not eliminate the risk of data compromise.

Application Code Review

Custom applications require custom security. During the Secure128 application code review, our application security experts manually inspect all relevant application source code to pinpoint deficiencies in security controls and identify development errors that violate best practices or may lead to vulnerabilities. A Secure128 application code review examines all aspects of an application’s security at the source-code level. In addition, the review includes an evaluation of the tools and commercial applications used to create and run the front- and back-end services.

Secure128 application code review will evaluate an application's vulnerability to all known applications exploits including but not limited to:

• Improper Buffer Checking
• Input Validation
• Weak Authentication
• Improper Cryptograpahy use
• Unintended Failures
• SQL Injection
• Access Control Issues

The code review culminates in an exhaustive report that details specific areas of application code that need repair in order to maintain a secure system. Secure128’s manual review ensures that your developers receive actionable, prescriptive information specific to your application rather than generic information provided by automated tools.

Specifically, Secure128 will provide a report for each reviewed application that will explain:

• Specific application and version tested
• Components of review performed on the application
• Assessment of the effectiveness of existing controls in terms of design and operating effectiveness
• Testing documentation
• Application risks identified
• Application security risk mitigation recommendations based on reviews
• Overall risk-level rating of the application
• Discussion of the review activities performed to arrive at the overall rating

Application Security Developer Training

Secure128 provides a customized training class to an organization’s developers based upon industry best practices and the results of the actual reviews performed. This service, Secure Developer Training, has been found to be more effective in mitigating future coding errors because developers are trained on examples taken from their own applications.

Secure128 can provide one to three days of client-site training tailored to fit the client’s application development environment. Ideally, the training session follows an application code review or application penetration test engagement so that specific examples from those engagements can be included within the training class. This way the client’s staff learns from real-world and business-relevant coding problems and can put their knowledge to use immediately.

Please contact us to learn more about our services