Today, almost every corporation and organization that uses computers in any significant way has a presence on the World Wide Web. Web Applications hold a proud spot in the top ten security issues for several years now and there’s no sign that these issues will become less significant.
Web Application Audits
As a planet, we’re very slowly getting better at security. We’re starting to see the end of buffer overflow but it’s been over 12 years and Cross site scripting (XSS) and SQL injection are still GROWING!! Our applications are getting more Connected, Complex, and Critical all the time. Individually, each of these factors makes security more difficult. Together, they create a perfect storm for attackers.
Areas Covered by Web Application Testing
- Security analysis:
- Threat modelling
- Manual and automated code review
- Penetration testing
- Architecture review
- Focus on Software assurance requirements mandated by FISMA (NIST Sp 800-53) & Defense Information Security Agency DISA (security technical implementation guide STIG (DoD) 8500.2)
- Security analysis:
CKSS will work with your internal team to develop a holistic approach as we:
- Implement Infrastructure Controls: Organizations have to maintain physical and network infrastructure controls. Good security practices require having secure configurations on the application server, web server, database server, and Operating System.
- Establish Application Controls: Employ good application safeguards such as authentication, session management, input validation and sanitization, error checking and handling and multi-tiered solutions.
- Implement Data protection controls: Use strong encryption for data at rest and in transit. Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, Social Security numbers and authentication credentials. Attackers may steal or modify data and conduct identity theft and card fraud.
- Develop a System Development Life Cycle (SDLC) Process: The need to consider security and privacy “up front” is a fundamental aspect of secure system development. The optimal point to define trustworthiness requirements for a software project is during the initial planning stages. This early definition of requirements allows development teams to identify key milestones and deliverables, and permits the integration of security and privacy in a way that minimizes any disruption to plans and schedules.
- Provide Independent Assessment team: It is critical to have an independent team that performs manual and automated code review to check for security vulnerabilities.
“Eighteen percent reported that the breaches cost their organization $500,000 or more,” says Forrester in its 2013 survey report.
The 240 participating companies, based in North America and Europe, also acknowledged the data breaches related to Web application vulnerabilities had a negative impact on the reputation of the individuals responsible for application security.”