ControlCase

Compliance as a Service

You are here: Home / Services / Application Reviews

Application Security Review and Testing

The objective of the ControlCase application test is to quantify the level of security exposure in your application environment. The application test is a security assessment of an application against specific application security criteria such as those defined by Open Web Application Security Project (OWASP). The assessment consists of tools based testing, but the majority of the assessment is done manually with a web browser or designated client software.

Tools Based Application Testing

As part of the application penetration testing, ControlCase will:

  • Run application testing tools (such as Acunetix) in multiple modes, in ascending intensity;
  • Platform only;
  • Unauthenticated safe;
  • Authenticated full (multiple user levels);
  • Run a vulnerability testing tool to perform platform security testing;
  • Run port scanners, Nessus and any other applicable tools;
  • Manually verify all vulnerabilities for validity and impact;
  • Save all vulnerability results for future reference.

 

Manual Application Testing

As part of this phase of the application testing, ControlCase will:

  • Use a local web-proxy to intercept and log all traffic;
  • Paros, WebProxy, Spike, Achilles, etc.
  • Walkthrough the entire application, logging everything for later reference;
  • Test every URL, form-field and cookie parameter;
  • Validate security vulnerabilities through application penetration testing.

ControlCase will also review the security of each of the following areas within the application:

  • Input validation (Server side and client side)
    • SQL Injection, Cross Site Scripting (XSS), HTML Injection, Overflows
  • Access Control
    • Privilege Escalation, Profile Hoping, Forceful Browsing
  • Password Policy
    • Password Strength, Password Resetting
  • Session Management
    • Session Variable Strength, Session Timeout, Cookie Variables
  • Security Configuration
    • Web/Application Server, Account Lockout
  • Authentication Mechanism
  • Encryption
    • SSL, Cipher Strength, Data Encryption
  • Error Messages
    • Verbose Errors, Error Generation, Debug Information