Application Security Audit

Find security vulnerabilities in system.

Get to know how secure it is.

 

e-point leverages 20 years of experience and state-of-the-art tools to find security vulnerabilities in client software that can be exploited by malevolent users or system administrators.

The intensity and depth of the audit can be adjusted to match the security level you need from the application in question. You can order no-prior-knowledge Black Box Audit or in-depth White Box Audit where the attacker knows the source code of the system.

e-point’s post-audit report provides you a listing of application vulnerabilities together with an impact assessment and recommendations on how to mitigate the risks.

Most attacked industries in 2017:

  energy

  retail / wholesale

  infrastructure

  automotive

  healthcare

  manufacturing

  financial institutions

  professional services

 

Why Expert Team Leasing from e-point?

… because security lapses cost money & destroy reputation.

Application security is a serious topic

  • Every minute approx. 5,000 data records are compromised
  • 77% of attacks are fileless malware that are very hard to detect
  • Containing a data breach takes on average 66 days …
  • … and costs over $ 3.5 million

The risk of an attack depends largely on the purpose and significance of a company’s system. This means companies have to weigh the risks and level of expenditures on application security. But one must never ignore it.

Steps of Application Security Audit

1. Identify initial vectors of attack

Analyze test environment. Determine tools needed and distribution of requests in production traffic.

2. Setup test tools and scenarios

Prepare necessary tools – set up or develop audit code. Verify that additional security systems are disabled. Insure scope and timeframe for audit execution  is known to Infrastructure Management.

3. Perform scanning

Identify available services, determine protocols &  versions, check on validations, injection attacks, & existence of known vulnerabilities, validate parameters, spoofing etc.

4. Identify vulnerabilities

Perform attacks on vulnerable services, i.e. seek to gain. unauthorized system access and if so extract data or execute denial-of-service. Document all detected vulnerabilities. Suggest quick fixes where possible.

5. Adjust tools and scenarios

After introduction of fixes, adjust tools and scenarios to check if vulnerabilities eliminated and prepare for re-testing.

6. Prepare Report

Assemble preliminary reports into final report.
Prepare recommendations regarding identified vulnerabilities. Remove test tools from client environment.

Variants of Application Security Audit

A. Black Box Audit

No information about the environment to be audited is known to the Auditor. Only public interfaces are exposed. It’s Auditor job to determine software running in system and find vulnerabilities

B. Grey Box Audit*

Auditor knows the purpose of the system and the system architecture, together with IP addresses and operating systems used. Audit is performed from internal network of customer company, thus simulating a most likely

C. White Box Audit

Auditor not only knows system architecture and functionality but has access to system source code and configuration as well. This audit simulates an inside attack with lots of detailed knowledge on the system

*recommended

Related