Application Security

A common gateway for cyber intruders today is through the application layer. Improperly configured and/or controlled applications can swing the doors wide open for hackers, allowing them access to confidential information. Case after case shows the devastation a data breach can cause is complex and far-reaching, from actual and instant monetary losses, to long term implications on business integrity and client trust.

Application SecurityWith the plethora of Internet applications we use every day to allow for on-line banking, bill pay, account and/or policy information which tie into a host of databases containing personal information, or corporate secrets, the hacking community has found attacking an application is often less complex, tempting them with the possibility of easier and bigger rewards. For instance, if hackers were to compromise a database through a companies on-line store, they may be able to gain personal information, like billing addresses, credit card information or any number of personal information fields that easily allow for terrible aftermath, like identity theft, credit card fraud or information brokering.

Organizations that use ASPs (Application Service Providers) and don’t host their own applications, should be aware if the hosted application was tested. Once an organization decides to trust an ASP with its data, the diligent and prudent practice would be to have the ASP have the application(s) tested and supply a copy of the resulting report to the organization for review. This process allows an organization to thoroughly understand the risks and affords an opportunity to take appropriate measures.

Application security testing lets you know, ideally before an application goes live, if it is vulnerable to compromise by an attacker from the outside, or from within. Is the application vulnerable to hacking, SQL Injection or Cross Site Scripting? Before you trust confidential customer data to an ASP, it is imperative you make sure the application was properly tested for vulnerabilities. GDF can test an application for vulnerabilities, help secure it and ensure your organization’s data is substantially more secure.

Many clients opt to have GDF test any application that is hosted by an ASP and may contain sensitive data. As in any situation, prevention is far less costly than an emergency response.

What is tested?

Server Configurations
Session Management Security
Cookie Poising
Cross Site Scripting
CGI Manipulation
Buffer Overruns/Overflows
Weak Passwords
ACL Integrity
Command Injection
Forceful Browsing
Cryptography Configuration
Hidden and Form Field Manipulation
and more…

Phase 1: ANALYSIS AND REVIEW

1 – Understand the use of the application and the types of data the client is entrusting to them.

2 – Review vendor’s security policies and certification, or audit any available related documents they may have, i.e. SAS70.

Phase 2: BASIC VULNERABILITY

1 – Physical inspection of the data center and equipment

a) If a certification, such as SAS70 is not available, GDF will visit the physical location of the data center to review policy and procedure, verify the existence of security devices, and interview key security personnel in order to formulate a basic rating of both the physical security and vendor’s ability to maintain reasonable security levels.

2 – Network Vulnerability Analysis

a) While not a full scale penetration test, the Basic Network Vulnerability Analysis will allow GDF to determine if common exploits or security holes exists which could expose client data. GDF will verify the security device configuration, authentication and encryption methodologies, and an overall security and exposure test from the outside will be performed.
b) A rating of the basic security will be generated.

3 – Application Security Analysis

a) A review of the application source code and the security implementation for the application will be thoroughly reviewed and rated.
b) The methodologies and implementation of any database connections and code used to work with client data will be reviewed and tested for possible exploits or security flaws.
c) Comprehensive testing of the application’s security will be conducted by attempting to compromise the application and related systems.
d) An overall rating on the application’s security will be generated.

4 – Authentication Methodology Review

a) A review of the technologies used to authenticate users and protect data in transit will be performed.
b) A review of the policies governing authentication will be performed from both the vendor’s perspective and the client’s internal policies, to ensure best practices highlighted and are being followed.
c) A real-world compromise of those technologies will be attempted.

5 – Ratings and Recommendations

a) GDF will provide the client an overview of the overall security model and its implementation.
b) Detailed recommendations on improving the overall security model will be provided.
c) Suggestions will be documented to improve and maintain the authentication model of the application.
d) A follow-up to ensure suggestions were implemented correctly and best practices are being followed will be conducted.

Every moment delayed is just one more opportunity for hackers to exploit potential weaknesses though your application(s), with sometimes devastating consequences. So don’t hesitate. Contact a GDF account manager right now, toll free, at (800) 868-8189 or email info@evestigate.com and let us tailor a plan to fit your unique situation. The initial consultation is absolutely free, so you have nothing to lose … except future headaches.