Application Testing

The importance of testing web-facing applications

Web applications have become common targets for hackers, as they often contain application layer vulnerabilities that are not typically detected using standard network vulnerability scanning. While standard countermeasures and network vulnerability scanners are an important layer of any Information Security Program, they often only search and detect known vulnerabilities in the X layer and can overlook issues specific to web applications.

To properly analyze threats such as cross site scripting (XSS), input validation issues, and authentication attacks, a manual ethical hack from within the application is necessary. TraceSecurity's Security Analysts will review your web application for vulnerabilities and consult with your organization in the remediation process.

Compliance Overview

IT Security Compliance regulations and guidelines (GLBA, FFIEC, FDIC, NCUA, OCC, OTS) require an organization to conduct independent testing of the Information Security Program to identify vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information, including Non-Public Personal Information (NPPI).

Best Practices state that each organization should perform an External Penetration Test in addition to regular security assessments in order to ensure the security of their external network; this includes any web-facing applications that are exposed to risk.

 

Solution Overview

The objective of the TraceSecurity Web-Application Testing service is to determine the strength of the online application security profile and ensure that sensitive information or access it not granted due to application layer vulnerabilities.

The TraceSecurity Information Security Analyst (ISA) assesses the online application to identify weakness in:

General architecture Session management
Transport security Access control & authorization
Logging Data validation
System attacks Perimeter manipulation
Privacy concerns Cryptographic algorithms

 

Download Data Sheet

 

TraceSecurity’s Online Application Test will provide up-to-date security auditing for vulnerabilities such as:

  • Software Infrastructure/Design Weaknesses
  • Authentication
  • Session Management
  • Input Validation Attacks
  • Cross Site Scripting Attacks
  • Script Injection Attacks
  • CGI Vulnerabilities
  • Cookie Theft
  • User Privilege Elevation
  • Web/Application Server Insecurity
  • Database Vulnerabilities
  • Privacy Exposures
  • Logical Flaws

 

Testing Requirements

  • Brief training or educational introduction to the mechanics of the application
  • Multiple test accounts or administrative access to create additional accounts

 

TraceSecurity's Web Application Testing metholdology is almost entirely done manually rather than using automated scanners to ensure your applications are secured. This methodology allows TraceSecurity's expert analysts to find vulnerabilities beyond what may found with automated scanning tools.

 

The Online Application Test results are provided in an extensive report containing:

  • Immediate Notification of Critical Risks
  • Executive Summary
  • Business & Technical Risks/Recommendations
  • Application Test Methodology
  • Application Security Issues Listed by Risk Type and Areas of Concern
  • Details & Exposure of Application Vulnerabilities
  • Enumeration of Successfully Penetrated Systems
  • Recommendations and Counter Measures
  • Appendix Examples
  • Video and/or screen image records of the application test results are available options
Download Data Sheet

 

Mitigating IT Security Risks with Penetration Tests