Application Security Assessments
With cyber criminals focused on stealing your sensitive information, organizations must deploy security solutions specific to their application requirements to secure their data and meet various compliance standards. Our Application Security Assessments include various methods to prevent gaps in the security of the application and underlying operating system that hosts the application.
SecureStrux helps businesses and government agencies discover, assess and report on vulnerabilities, misconfigurations and improper access controls within their Websites and back-end databases.
SecureStrux uses industry recognized tools to evaluate web services to ensure that the portals and forward-facing websites are secure and backend databases and applications are protected.
Our Application Security assessments include, but are not limited to, the following:
- Manual and Automated Code Reviews. Code reviews are critical to application security. Automated and manual code review results are analyzed for common vulnerabilities, such as SQL or XML Injection, Cross Site Scripting, Cross Site Request Forgery, Buffer Overflows, Session Hijacking, and Clear Text Passwords, to name a few.
- Secure Coding. The overall application development process must have security built in from beginning to end, following a strict Software Development Life Cycle (SDLC) where security is integrated into the application from inception and not just incorporated at the end of the project.
- Policies and Procedures. Without policies and procedures there is a possibility of a single point of failure in application security, including failure of confidentiality, integrity and/or availability. Policies and procedures include: Backup and Recovery Procedures, Incident Response Plan (IRP), Disaster Recovery Plan (DRP), Continuity of Operations Plan (COOP), Audit Log Retention and Review Procedures, Application Configuration Guide, etc.
- Approved Encryption. The application must encrypt sensitive data at rest or in transit. The encryption should follow the Federal Information Processing Standard (FIPS) Publication 140-2 for Cryptographic Modules, or hashing algorithms should follow the FIPS 180-4 for Secure Hash Standard as published by the National Institute of Standards and Technology (NIST).
- Database Security. Databases are a huge target for cyber criminals, and many organizations fall short in protecting these critical repositories of customer information (PII & PHI) and intellectual property. Our team assesses and remediates hundreds of vulnerabilities in Oracle, MySQL, and Microsoft SQL databases, DB2, Sybase, PostgreSQL, and Hadoop.
- Web Security. Open Web Application Security Project (OWASP) has identified the ten most critical web application security risks. Since most businesses and government entities use the Web to communicate and perform daily tasks, it is understandable that a majority of an Application Security Review is focused on the OWASP Top Ten. These vulnerabilities include, but are not limited to, Injection, Broken Authentication and Session Management, Cross-Site Scripting, Insecure Direct Object References, Security Misconfiguration and Sensitive Data Exposure. With the Web security threat environment constantly evolving, it is critical that Websites and/or open Web applications are secure.
- Web Service Security (WS-Security). When web services are used within an application, such as Simple Object Access Protocol (SOAP), the protocol may also provide confidentiality (WS-Security), integrity (WS-Security) and authentication of Security Assertion Markup Language (SAML) during communication. A review of web services will provide validation that WS-Security and SAML are correctly configured to effectively provide the confidentiality, integrity and authentication the application may require. The single most important requirement that SAML addresses is web browser single sign-on (SSO).