An ERE application security assessment identifies every single application vulnerability caused by; insufficiently strong security architecture, weak coding and documentation practices, known vulnerabilities, and weak security between applications / databases / users. Our application security assessment methodology scope covers both web application pen testing and non-web facing application pen testing.
Each application pen test is accompanied by an application risk assessment, with risks triaged by criticality and a pro-forma risk based ROI business case for justifying the IT security auditors recommendations. Primary steps for our application audits include:
- A remote and internal application penetration test, performed by a certified CISSP application tester.
- Review of systems development lifecycle process.
- Review of security policy documents, security procedures documentation and flowcharts.
- Review access control lifecycle management.
- Review of audit trail of changes / accesses, encryption during transmission, validation of transmitted / received data, and depth of tiers.
- Review of problem and management tracking mechanisms, reporting.
- Review of application change management, application testing lifecycle, code library, and audit trail of access / changes.
- Review of BRP, DRP, back-up, offsite back-up storage, and record lifecycle.
- Application penetration testing for use of an IDE and database configuration.
- Application vulnerability test of code.
- Application risk assessment with pro-forma application risk assessment based ROI business case.
Typical Application Vulnerability Identified by Application Security Assessment
- Sequel Injection.
- Cross Site Scripting
, a critical step for a web application pen test.
- Lack of integration of security.
- Too many tiers in multi-tier application architecture.
- Weak lifecycle management of integrated development environments such as Python, PHP, Java, Perl, and .NET.
- Weak policies and procedures.
- Weak change management of source code.
- Weak back-up of source code.
- Weak prevention of source code being copied.
- Weak admin privileges / access and updated patches for server application and server database platforms.
Typical Vulnerabilities Identified in Database Security Assessment
- Weak security of database Connections.
- Weak protection of Access Control Table.
- Restricting Database access.
- Incorrectly configured database security parameters.
- Lack of updated patches.
- Lack of auditing known exploits.
- Weak admin privileges / access and updated patches for server application and server database platforms