Custom applications not only make life of an organization easier but also bring additional challenges in context of information security. In many cases custom applications are not subjected to thorough security testing as the developers are concerned about implementation and robust actual functionality. Therefore to make sure that custom made applications such as corporate web applications, e-commerce portals, fat clients etc. contain adequate security features and overall have an acceptable level of security – application level security tests are conducted.
WEB applications are known to contain vulnerabilities that in worst-case scenarios allow an attacker to get access to private data processed in these applications or even underlying systems and networks. To avoid such scenario WEB applications can be tested using recognized security testing methodology such as OWASP Application Security Verification Standard.
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
The testing methodology can be applied in multiple ways:
In order to find as many vulnerabilities and security weaknesses as possible in a limited time-frame – the second option of partial source code review should be selected as providing the source code to the auditors will enable them to better understand the inner workings of an application and security relevant mechanisms employed by developers such as user input sanitization filtering implementation, data storage issues etc. By looking at source code auditor can know for sure what input is filtered and what is not – comparing to black-box test where the pen-tester would spend additional time running certain test-cases just to have an approximate understanding of input sanitization mechanism.
If source code is not available or the goal of the test is to verify the WEB application security in a typical external attack scenario, then black-box approach is used. The WEB application is subjected to a range of test patterns and payloads corresponding to multiple vulnerability classes as categorized in the methodology. Comprehensive WEB application security audits are performed manually as automated tools can only support the process, but do not replace the expert yet. Automated tools, such as application vulnerability scanners, source code security scanners are used in the process for automating routine tasks. Not all vulnerability classes are applicable to every application – it is highly dependent on the technology stack used by the developers.
WEB application security audit results in a report, which contains identified security vulnerabilities and defects, their risk score, proof-of-concept material and if the source code is available, then vulnerable code is pinpointed. Apart from demonstrating the security risks, the report provides additional information on what security measures can be applied to further improve the quality of an application.
After vulnerabilities are fixed, our experts can verify that the applied fixes or mitigation measures are sufficient and problem is solved – by conducting a re-check, during which the report is updated with information on which problems have been successfully mitigated and indicate if there are any issues left that still need to be addressed.