SECURITY TESTING

In the current inter-connected world, it is essential for every organization to ensure the security of its network to protect its information lying on various end-points on the network. Since there are various methods for connecting to the network like LAN, WAN etc., this throws open various avenues of threats.

The larger the network, or the more confidential the data, the more critical is the requirement of providing adequate level of security. Independent technical assessment and review, adds to the overall security, acting as a supplement to the technical competence of the network designers and implementers. In addition to the network, other essential components are the various applications, databases, etc. processing or storing the organizational information.

ImpactQA provides Information Security Technical Consultancy Services which include Vulnerability Assessment and Penetration Testing of networks, Network Security Architecture Review, Application Security, etc.

 

SECURITY METHODOLOGY

 

1. Initial Scoping: Once the initial order has been received, the stage is to carry out the initial scoping. We offers both internal and external assessment as part of the penetration testing service. These can be further broken down in to two distinct methods of assessment. These are white box and Black box Testing.

2. Reconnaissance Phase: Once the scope of the assessment has been agreed, the next step is to carry out the reconnaissance phase. this phase consist of two steps, passive and active information gathering. During this phase We will attempt gather as much information as possible about the target.

3. Assessment: Armed with the information gathered through passive and active information gathering. We will now carry out the required assessment. The operating systems and services that were found in the reconnaissance phase are checked against the latest vulnerability databases to ascertain if any vulnerability exists at a host or operating system level.

4. Reporting: Once all of the assessment data has been collected, the next phase is to analyze this data and create report for the customer, about the assessment and summarizes the key findings along with the recommendations.

5. Presentation: Once the full assessment report created, it is uploaded to the secure document area of ImpactQA. The customer is presented with the reports a week before the follow up meeting is scheduled.

WEB APPLICATION SECURITY

Attacks have moved from the well-defended network layer to the more accessible Web application layer that people use every day to shop, bank, manage healthcare, pay insurance,book travel and apply to college. As per a study of about 12,186 web applications, 97,554 detected vulnerabilities of different risk levels. About 49% of web applications contain vulnerabilities of high risk level detected during automatic scanning. However, detailed manual and automated assessment method allows detecting these high risk level vulnerabilities with probability up to 80-96%.

Application security testing is the detection of exploitable vulnerabilities within the software applications. This is divided into two categories:

1. Static Applications Security Testing: (SAST) is a source code and binary code testing technology,which is executed at the design, construction and testing phases of the application life-cycle.

2. Dynamic Application Security Testing: (DAST) is a dynamic Black-box / Gray-box application testing technology, which is executed at the testing and operations phases of the application life-cycle.

The key benefits of application security assessment are:

  • Minimized exposure to threats.
  • Conformance to Industry Best Practices .
  • Enhanced management confidence .
  • Protection of confidential data .
  • Independent and expert security rating .

 

What is it all about?

The following is a summary of the attacks that large systems are typically most susceptible to, due to malicious outsiders and insiders (users, processes and applications):

Authentication/Authorization Attacks

These attacks include brute-forcing passwords (both dictionary attacks and common account/password strings) and credentials, exploiting insufficient and poorly implemented protection and recovery of passwords, key material (and so forth) both in memory and at component boundaries. This includes attempting to bypass authentication, predict/hijack an authorized session, session expiration prevention, privilege escalation, data tampering and so forth.

System Dependency Attacks

By carefully monitoring the environment of use of your application crucial system resources can be identified and targeted in an attempt to disrupt access to them. A system must have the ability to securely process corrupt, missing and Trojaned files, including cookies and registry keys. We will also catalog known attacks against any reused third party components.

Input Attacks

Large systems are often susceptible to input strings that tend to cause insecure behaviors. Attacks in this class include long strings (buffer overruns), SQL injection, command injection, format strings, LDAP injection, OS commanding, SSI injection, XPath injection, escape characters, and special/problematic character sets. A variety of initial configurations and command line switches may also affect the system.

Design Attacks

Systemic design flaws often allow an application to be exploited. This includes unprotected internal APIs, alternate routes through and around security checks, open ports, forcing loop conditions and faking the source of data (content spoofing). Race conditions and attacks that take advantage of time discrepancies (Time of Check/Time of Use) are of particular concern in this category.

Information Disclosure Attacks

Applications can often be forced to disclose sensitive or useful data in any number of ways. Error messages generated by the application often contain information useful to attackers. Attacks of this type include directory indexing attacks, path traversal attacks and determination of whether the application allocates resources from a predictable and accessible location. The intent with this set of attacks is to isolate any and all cases of information leakage.

Logic/Implementation (business model) Attacks

The hardest attacks to apply are often the most lucrative for an attacker. These include screening temporary files for sensitive information, attempts to abuse internal functionality to expose secrets and cause insecure behavior, checking for faulty process validation and testing the application’s ability to be remote-controlled. Users may get in between the time-of-check and time-of-use of sensitive data (“man-in-the-middle”) and perform denial of service at the component level.

Cryptographic attacks

One of the biggest issues in cryptography is improper implementation. While cryptography is exceptionally well suited to protect data at rest (when stored) or in transit, several challenges arise when implementing cryptography on data in use. There are often hidden cracks in the cryptography implementation.

Penetration Testing

"Close the Security Gaps before hackers crack"

Many organizations underestimate how wide open their security exposure is, and overestimate the capacity and resources their internal IT staff can utilize to address it. Security posture needs to be examined on a regular basis to account for the evolution of new Internet threats. Online commerce initiatives require organizations to grant partners, suppliers, B2B exchanges, customers and other trusted connections into their networks. The entire structure is only as strong as its weakest link. Any poorly secured system, left unchecked, poses dangerous security risks for everyone else.

Penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerability that may result from poor or improper system configuration, known and/or unknown software flaws, or operational weaknesses in process or technical countermeasures.

Network Penetration Testing benefits:

  • Pro-actively minimize the enterprise risk exposure.
  • Prevent potential financial drain by identifying and addressing risks before security breaches occur.
  • Satisfy the auditing/compliance aspects of regulations such as HIPAA, GLBA, PCI and Sarbanes-Oxley.
  • Get an in-depth investigation of enterprise systems from an internal or external perspective.
  • Prioritized reporting allows intelligent deployment of patches and optimum allocation of security resources.

CONFIGURATION SECURITY REVIEW

“Close the Security Gaps before hackers crack”

There are occasions where organization implements good technology in bad ways, which results in poor implementation. For example, the best firewall poorly configured by the user will not stop undesirable traffic. This generally can lead to false sense of security and lull the organization into complacency.

Technical Audit is comprehensive analysis and review of the security of the Information Systems from the perspective of working of the internal controls. This analysis is essential to determine the adequacy and effectiveness of the controls, which are in place, to the organization.

Technical Security Audit key benefits:

  • Determine the effectiveness of internal controls.
  • Detect gaps or failures of your existing security systems.
  • Give clients confidence that their data is well protected.
  • Reduce security risk and liability.
  • Prevent confidential information from leaking.
  • Protect intellectual property.
  • Abate financial loss and negative publicity.

The ImpactQA advantage

  • Combines best practices such as white box, gray box, and black box testing.
  • Implements robust processes such as the application development and maintenance (ADM) philosophy to ensure application security is considered during all phases of the SDLC.
  • Rich experience in both open-source and commercial tools used for security testing.
  • Tie-up with major tool vendors ensures thorough validation of all aspects related to security testing.
  • A comprehensive testing mechanism integrates with industry best practices such as the open Web application security project (OWASP), SANS and open-source security testing methodology manual (OSSTMM).
  • Our security test consultants are backed by industry certifications such as Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and ISO 27001 LA.

 

How to make your web applications secure - Read Here