Organizations’ are continuing to migrate critical applications and sensitive data into web applications to better serve the ever-growing feature requirements of their customers. While this migration has been extremely beneficial to both the organization and the organization’s customers it has also simultaneously expanded the attack surface being taken advantage of by malicious hackers. In many cases the advantages that make web applications so convenient also make them incredibly insecure.
Malicious hackers are actively exploiting vulnerabilities found within these web applications to gain access to customer information, financial data and other sensitive and confidential data. These malicious hackers are also utilizing these web applications as hopping points to penetrate through common perimeter defenses and gain access into internal networks. Organizations’ can no longer ignore the security of their web applications.
SudoSecure’s web application assessments identifies vulnerabilities inherent in the code of a web application itself, regardless of the technology in which it is implemented or the security of the web server or back end database on which it is built. Specifically, SudoSecure analyzes the critical and individual components of the web-based portal, web application, and/or web services platform.
Using our detailed oriented methodology that was derived from the Open Web Application Security Project (OWASP) methodology, and a combination of manual techniques and proprietary and commercial tools, our assessment will identify specific vulnerabilities and underlying issues within the web application.
Our web application assessment methodology specifically examines, but is not limited to, the following key areas:
- Administrative Interfaces
- Application Design and Architecture
- Application and Server Configuration
- Application Server Vulnerabilities
- Authorization and Access Control
- Application and Business Logic Flaws
- Canocalization of Local and Unicode Input
- Credentials and Cookie Management
- Cryptography and Encryption
- Database Vulnerabilities
- Data and Input Validation
- Data Confidentiality and Integrity
- Error Condition Handling and Exception Management
- File System Access and Restrictions
- Injection Vulnerabilities
- Privacy Exposure and Issues
- Privilege Escalation
- Session Management
Our web application assessment can be performed separately, or in conjunction with a standard penetration test, as both assessments are complementary and model threats from different perspectives.
Sudosecure provides three basic approaches when performing a web application assessment and penetration test:
Blackbox/Zero Knowledge Testing:
In this approach, SudoSecure is not provided with inside information about the target environment or access to the web applications source code.
Whitebox/Source Code Analysis:
In this approach SudoSecure is provided with detailed information about the web application and its source code. Unlike Blackbox testing, with Whitebox testing SudoSecure walks through the application code line-by-line, looking for flaws that could allow attackers to take control of your application, perform a denial of service attack against it, use it to access your internal network, or use it in an unintended manner. This allows SudoSecure to take a holistic view of your application and identify vulnerabilities and exposure points that may have otherwise been hidden.
Graybox/Partial Knowledge Testing:
In this approach SudoSecure is provided with some level of information and portions of the source code when applicable and/or judged relevant by you the customer. This allows SudoSecure to request access to portions of the web application we believe may be flawed for further examination, while limiting the exposure of your source code and other information within your organizations comfort level.