|
Our professionals will work with you to develop a test plan. We provide several application and product security testing options:
Black Box – We perform testing using publicly available information. Threat modeling includes external attackers with no detailed application knowledge. Testing utilizes both automated tools and manual examination. The goal of this testing is to determine what security posture the application or product presents to an uninformed attacker.
White Box – In addition to Black Box automated and manual testing of the application, testing includes reviews of configuration files and security settings. We work with your staff to identify and assess security issues and to develop robust threat models. Administrative interfaces and connections to related components can also be assessed. The goal of this testing is to thoroughly identify weak and vulnerable aspects of an application in a cost-effective way.
Full Spectrum – In addition to White Box testing, we perform a coordinated code review and architecture assessment. This approach permits our security consultants to more efficiently identify security flaws and assess their impact on the components in the application or product architecture. Findings identified by testing and code review are correlated and cross-referenced, facilitating more extensive analysis and recommendations for remediation.
Application security code review services offer line-by-line inspection of the application to determine any security flaws or backdoor that is left into the application. An application security code review is designed to highlight potential security vulnerabilities within the application based upon a defined application threat-model. Our approach to Application Security Code Review typically involves the following steps:
Threat Modeling – High level threat model is designed with the coordination of development team which helps us understand the applications functionality and existing security threats. Risks identified in the Threat model tell us which code to look at first and deepest.
Automation – Use automated tools to assess the code for semantic and language security bugs and optimize the search for vulnerabilities like Cross Site Scripting (XSS), Injection flaws, File Canonicalization and other vulnerabilities that require extensive labor.
Manual Validation – Manual validation of significant issues is done and conducted in line-by-line inspection of the application code to find logical errors, insecure use of cryptography, insecure system configurations, and other known issues specific to the platform (e.g. buffer overflow etc.).
|
