Application Security Assessment

Application Security Assessment

The Application Security assessment’s purpose is to identify vulnerabilities in the application, estimate the probability of them being exploited, and provide a risk profile for the application components.

Cognosec Services

Cognosec Services

Features

Business-critical applications that are ‘interfaces’ for external stakeholders should always be assessed before being distributed – or changed or upgraded. And it’s hard to over-estimate the importance of regular reviews for these applications: what might have been state-of-the-art security a year ago can now be an entry point for a hacker.

Description

An application security assessment is a much more detailed penetration test, focusing on one specific application and checking that the necessary controls to protect information are in place. It is carried out by an experienced analyst, usually using a combination of open source and commercial automated utilities. The assessment’s purpose is to identify vulnerabilities in the application, estimate the probability of them being exploited, and provide a risk profile for the application components. Our analysts use logical errors in the application, as well as coding errors, to gain entry. We also look at what would happen if vulnerabilities were exploited, and advise on how they could be fixed.

Specification

Application Security Testing

Our testing approach is supported by a set of automated tools that not only identify common application vulnerabilities but also reveal business logic flaws that could be misused by attackers. In addition to these automated tests that cover a majority of common security flaws, we use conventional black box penetration testing techniques, which can be combined with a review of the applications critical source code to increase depth and optimize efficiency.

Source Code Inspection

A deep analysis of the application’s source code will be undertaken, identifying core weaknesses. Vulnerabilities will be assessed, prioritising them based on their severity and probability of exploitation.

Application Security Architecture

The fundamental design and logic of your application architecture will be assessed including its surrounding business environment. The number of ways in which an application can be written and developed is incalculable and therefore, to ensure maximum security potential, best-practice standards need to be upheld.

Application Security Controls

Merely optimising your application security architecture is often not enough; security controls also need to be put into place to fully secure an application. The integrity and effectiveness of controls such as authentication & session management, authorisation, cryptography & key management, data input validation techniques, and transport layer protection mechanisms will be reviewed to maximise your application’s level of security.

Download as PDF