Skip to main content

Astyran Pte Ltd

Pragmatic Application Security

Home  Training  Pentest  Code Review  Contact Us  Jobs  Site Map   
Application Vulnerability Assessments 
Overview

Attacks are shifting from the network level to attacks on the application level. The number of high-profile attacks on financial and other websites is rising. End-user workstations are under continuous attack by sophisticated worms targeted directly at your web solutions. The pressure of regulatory instances is rising. Hacktivists might suddenly pay attention to your applications.

An application security assessment looks at your application and reports on weaknesses found. Contrary to penetration tests (which Astyran also performs), here the ultimate goal is not to penetrate the application, but to report on vulnerabilities found.

What Sets Us Apart?

Our approach is business driven: vulnerabilities are investigated, documented and reported according to the potential damage that may arise if they are exploited.

Our approach is focused on manual work: a skilled and experienced consultant will assess the security of your critical application. This is contrary to the methodology of most of our competitors where first a tool is used and then the results of this tool are reviewed. Current tools are not capable in detecting business log errors and even many of the common flaws might be missed. 

The focus of our report is on giving guidance on how to improve on the discovered security posture and includes the following content:

  • An executive summary with score and high-level recommendations. This summary is written for business managers and does not use technical jargon. It explains exactly what harm an adversary can do.
  • Recommendations on how to tackle the issue (quick fix possible, temporary fix, complex change, new application, ...) taking into account the cost factor
  • Recommendations on which processes to improve with - where relevant - summaries for audit, security, development and IT management
  • A description of the scope, scoring method and methodology
  • Technical details with for each item found (from critical to low rated
    ) a description of the issue, the possible impact, proof of concept and remediations steps.
  • References are made to the Common Attack Pattern Enumeration and Classification (CAPEC) and the Common Weakness Enumeration (CWE) in order to have a common language to discuss items. Note: Astyran is currently pursuing CWE Compatibility in the CWE Compatibility and Effectiveness program.
 
Methology Based on Business Relevance

We consider the business threats and risks at the start of a project and make certain that we focus on your attention points. Scoring is based on how critical the application or data handled by the application is for your business.
 
Standards Compliant

Our methodology is based on the Open Web Application Security Project (OWASP) testing guide for tests on the (web) application level. We use a mixture of automated scans using open source as well as commercial tools, followed by a verification and deeper probing of the application by a highly skilled consultant. This pragmatic and cost-efficient approach is fully compliant with the requirements of international standards, such as:

  • The Payment Card Industry (PCI) requires periodic automated scans and penetration tests on application and network level as well as source code review for payment applications;
  • The Internet Banking and Technology Risk Management Guidelines (IB&TRM) of the Monetary Authority of Singapore (MAS) requires a mixture of countermeasures, including penetration tests and code reviews;
  • A document (IT Control objectives for SOX) by the Information Systems Audit and Control Association (ISACA) mentions that it can be expected from a SOX compliant company that risk assessments are done on infrastructure and processes;
  • ISO 27002 details that the capability of service providers must be assessed ant that contract must provide the right to monitor and audit. ISO 27002 further details that compliancy checks include penetration tests and vulnerability assessments that may be executed by external experts.
  •  The Health Insurance Portability and Accountability Act (HIPAA) requires that contracts with partners must include that administrative, physical and technical measures are being taken to protect the security of information received.
 
Make Your Choice

There a different types of application security assessments. Make your choice depending on your business objectives and security and audit needs:

  • Black Box tests: Assumes zero prior knowledge of the system, has no advanced access to any accounts. This results in a view on how far, in a limited time, a malicious user or hacker can go. Note however that this is not a complete view: hackers are not limited by time, while the tester is.
  • White Box tests: Uses existing or newly created end-user accounts for additional access during testing. This gives an informed view on what an insider (user, consultant, outsourcer personnel) can do.
  • Crystal Box tests: Performed using an application administrator account to gain full access to the application.

 

Where applicable tests are executed from three perspectives:

Anonymous User: The test is executed from the perspective of an anonymous user with no or minimal knowledge of the target system. Focus points include the user logon authentication process, session management, as well as attempting to uncover other areas on the target application that may provide remote, unauthenticated, or unauthorized access.

Authenticated User: This test is carried out from the perspective of normal user’s knowledge. Therefore a set of valid user login accounts and passwords are required. The focus is on checking authentication and authorization controls and procedures, roles, and limitations such as time restrictions and potential contamination (assuming the access rights of another user, viewing and modifying data of another user).

Power User: Power users are users that have very specific, powerful access to the application, but they are not users of the application itself (e.g. system administrators, database administrators, operators, software maintainers, etc.) Focus is on access to the system logs, audit trails, configuration files and other possibly sensitive data on the system and potentially dangerous functions such as re-enabling user accounts, steal credentials, or modify evidence. We assess the prevention and detection capabilities of the system for such attacks and how the system audit trails provide evidence of the actions of power users.

Frequently Asked Questions

What is your pricing model?

All assessments are fixed price. You know upfront what it will cost you. The more assessments of a single application that are ordered (e.g. year contract for quarterly assessments) the cheaper it becomes. Pricing is also influenced by the fact whether or not the assessment can be done remotely (over the internet) or must be done locally at your premises. Another factor is whether or not the assessment must be done on the production server (potentially dangerous and requiring more attention and skills) or on a test system. 

Do you use tools?

Yes we do. Consultants do not scale well and there is a limit at how many attack vectors can be checked in a limited amount of time. Therefore tools are used. The security expert knows how to run those tools, knows the limitations and then fill in the gaps to complete the assessment. You do want the consultant to spent his time at looking for issues that are relevant for your business and that a scanner cannot detect.

Can you give us a list of tools used?

Normally our answer to your request for a proposal will list generic tools used. The final report details the list of tools used for your specific application.

I only want a vulnerability scan

We are perfectly capable in limiting our approach to the use of a scanner if this is your objective. Automated scans do have their use and might be required by certain compliancy demands.

How do you protect our confidentiality?

Security measures regarding communication, reporting, and data security will be discussed at the kick-off of a project. Typically encryption will be used for all communication. Data gathered during an assessment is not unnecessarily kept and will be destroyed one month after the acceptance of the final report.

Keep in touch and follow us on Twitter, like us on Facebook and connect with us on LinkedIn!
Pragmatic Application Security