Web Application Security Assessment

Security breaches have far-reaching impacts that range from remediation costs and damages payable to victims, to the incalculable toll of negative publicity and lost business. A September 2009 report published by the SANS Institute indicates:

• Web applications constitute more than 60% of total attack attempts on the Internet
• More than 80% of vulnerabilities arise from SQL injection and Cross-Site Scripting flaws in both open source and custom-built applications.

One of the most significant benefits of the SECNAP Web Application Assessment is the peace of mind you’ll experience knowing your web applications are free of weaknesses that could enable unauthorized intrusion or compromise sensitive data. In addition, the assessment will:

• Verify applications are properly configured to prevent unnecessary data from being revealed

• Validate user authentication processes, password reset mechanisms and session management schemes

• Identify strengths and weaknesses of web applications in terms of overall security

• Prioritize exposures that present greatest risk

• Deliver an actionable report including executive summary and remediation recommendations.

Overview of the Assessment Process

The Web Application Assessment leverages a set of automated and manual tests designed to find weaknesses in the application. Initial steps include identifying application layout and locations where the greatest risks appear to reside. Once the site is mapped, appropriate attacks are initiated to discover vulnerabilities in the application, leveraging SQL vulnerability detection and penetration testing. Findings are compiled and a thorough report delivered, including useful graphs and charts.

Assessment Components

Designed to verify that your organization is utilizing external web applications that are free of vulnerabilities which could cause sensitive data to be compromised, the assessment encompasses a variety of components, tools and tests.

Fault injectors are just one example. These tools insert strings into a target application that are most likely to cause the application to fail. Hackers typically use these strings to probe the application for weakness that can be exploited. Following are injectors typically employed during the assessment:

• Windows Command Injection

• Unix Command Injection

• SQL Parser

• SQL Disclosure

• Relative Path

• Cross-Site Scripting

• Buffer Overflow

• Insecure Configuration

• Unvalidated Input

• Denial of Service

Testing to Identify Areas of Risk

The security assessment examines multiple levels of potential vulnerability—from field-level, to form or page-level, to cross-frame scripting vulnerabilities. In addition, tests are conducted to discover other areas of risk, such as:

- Unvalidated parameters

- Broken access control

- Broken account and session management

- Cross-site scripting flaws

- Buffer overflows

- Command injection flaws

- Error handling problems

- Insecure use of cryptography

- Remote administration flaws

- Web and application server misconfiguration

Final Report and Briefing

Our final report provides a thorough assessment of web application vulnerabilities, accompanied by expert recommendations to help you begin to address them. Findings may also be presented to key stakeholders, including C-level executives, IT management, web applications development and systems staff. Useful graphics are included in the Web Application Assessment report to illustrate specific findings. In addition, optional work, security equipment or security solutions may be recommended to assist you in addressing priority risks expeditiously.

Click here to request more information or a free consultation.