Web App Security Audit Services

Transcription

1 locuz.com Professional Services Web App Security Audit Services

2 The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System layer. Immunity against security threats is becoming one of the leading challenges for Enterprise community. The race to go online and develop competitive services are enabling enterprise communities to launch web applications rapidly with less attention to security risk s making the sites vulnerable. Interestingly many corporate sites are vulnerable to hackers in touch of a button. Web-based applications are the portal of choice for illegal entrance to your organization's network. That's why you need to defend your network by arming yourself with the knowledge of how attacks occur-and learn how to fix the problem before someone finds holes in your network security armor. When it comes to Web application security, many companies just scan their systems for vulnerabilities and call it a day. But that's a mistake: Don't rely on system security analysis of the Web platform to indicate whether the application is secured. Many of the most dangerous security holes in IT infrastructure are based not on worms or viruses, and not on known vulnerabilities in Application Servers, but on vulnerabilities in the WEB-applications themselves. These vulnerabilities are unique to each application. Application-level vulnerabilities leave the door open to costly external Web attacks, internal database breaches, and worms. WEB-application Vulnerabilities Occur in Multiple Areas Application Platform Known Vulnerabilities Administration Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reserve Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site Scripting

3 Risk Assessment Web applications security vulnerabilities should be identified assessed and addressed as a part of enterprise risk assessment program. Backdoor Broken authentication Brute force Buffer Overflows Code errors Command Injection Cookie Manipulation Cross-site scripting Debug Option Developer comments/ debug Directory Attacks Firewall Configuration error Hidden Field Manipulation HTTP Misformat Insecure functions Insecure use of encryption Method Matching Null Method OS Configuration Parameter Manipulation Protocol Piggy Back Services Perversion Session Poisoning SQL Injection Subvert Server time Subvertable client-side code Thread Safety Problem URL Encoding Web Server Configuration 12% 15% 42% 23% 42% 23% 31% 27% 8% 31% 23% 35% 27% 45% 35% 27% 12% 27% 38% 15% 31% 42% 38% 38% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

4 Test Scope Test Category Test Types Web App Testing Brute Force Insufficient Authentication Authentication Weak Password Recovery Validation Credential/Session Prediction Authorization Insufficient Authorization Insufficient Session Expiration Session Fixation Abuse of Functionality Logical Attacks Denial of Service Insufficient Anti-Automation Insufficient Process Validation Content Spoofing Client- Side Attacks Cross Site Scripting CGI Scripting Extensive, Including application specific Buffer Overflow Format String Command Execution LDAP Injection OS Commanding SQL Injection SSI injection Directory Indexing Information Disclosure Path Traversal Predictable Resource Location Information Leakage ICMP Checks Windows NT Checks TCP & UDP Port Tests Stealth testing DNS Spoofing RPC testing Initial Sequence Number Prediction System Vulnerability Check FTP abuse checks SMTP relay checks (spam) LDAP checks SNMP checks DNS and bind checks SMB/ NetBIOS checks NFS checks NIS checks WHOIS checks Domain checks Spoofing checks

5 Locuz Approach Taking Enterprise to Next Level of Security Enterprise must be able to detect the loopholes in their web applications. To enable this process software and security professionals can evaluate the severity of the loopholes and can patch them as quickly as possible. A typical methodology might be to evaluate the portfolio of applications on web connected devices and assess each layer of application logic for potential vulnerabilities by, Performing technical due diligence on a given WEB Application Finding new ways to break into the application Identifying potential holes in the application that might endanger organizations Based on the above process and open web application security project (OWASP) we probe in to both known and unknown vulnerabilities. Benefits Delivers timely and valuable application vulnerability information to assist in developing proactive protection measures Provides advice and actionable data needed to quickly address security holes provided by experts Protects business and information assets against hacking and loss of valuable data Assists in increase of customer confidence and trust on the application Prevents loss of customer s confidential information Overcoming legal hassles due to failure of the application security Reduces the cost of recovery and fixes due to loss of information

6 Methodology Locuz follows a 5-step process to enable enterprises to meet this challenge. Information Gathering 1 Planning & Analysis 2 Information Gathering 5 Analysis & Report Vulnerability Detection 3 Analysis & Report Vulnerability Detection 4 Attack/ Penetration Testing Assessing Gathering the information from the client regarding his business implications due to the vulnerabilities Understanding the client requirements on the components of the web application (Web servers, Database servers etc) to be performed Verify with the client whether the vulnerability test should be performed on the website on real time or off time Planning Define the scope based on the nature, timing and extent of the evaluation Verify that no test will violate any specific law of local or national statute. Also, our auditor will consider obtaining a signed authorization form from the client agreeing to the deployment of web application penetration testing tools and methods Investigate and use available automated tools to perform web application vulnerability assessments. These tools improve the efficiency and effectiveness of web application security testing Designing Freeze the vulnerability types in discussion with the client Design the security test framework depending on the client environment Perform the attacks on the submitted URLs either locally or remotely

7 Attacking Assess possible methods of attacks based on identification of vulnerabilities Identify the type of OS employed by target hosts Obtain permission to execute a port scan for those destination target hosts that are live. Execute exploits on the client web environment Analysis & Reporting Run commercial or open source web application vulnerability assessment tools to verify results Defining the scope of the analysis Objectives of the report Period of work performed Nature, timing & extent of web application vulnerability analysis performed Conclusion as to the effectiveness of controls and significance of vulnerabilities identified Deliverables Once testing process is completed, Reports are generated and delivered to the Enterprise under test. These reports are configured to make the user comprehend the impact of the test. This is articulated to the fact that the report is delivered with proper and clear communication language styles (English). The identified security loopholes are categorized as follows: RISK High level risk Medium level risk Low level risk CATEGORIES Vulnerabilities that will breach the Enterprise systems immediately Vulnerabilities that needs yet another combinations to breach the system Vulnerabilities that are un patched and leaves a trace for future attacks The testing steps are documented, the findings are discussed, and all weaknesses identified, have solutions suggested with linking information and references where necessary. Where possible, a range of options might be supplied to allow the IT department to choose the one most applicable. The information in the report can range from technical port scan results to company documents, and is normally of most interest to technical staff.

8 locuz.com About Locuz Locuz is an IT Infrastructure Solutions and Services company focused on helping enterprises transform their businesses thru innovative and optimal use of technology. Our strong team of specialists, help address the challenge of deploying & managing complex IT Infrastructure in the face of rapid technological change. Apart from providing a wide range of advisory, implementation & managed IT services, Locuz has built innovative platforms in the area of Hybrid Cloud Orchestration, High Performance Computing & Software Asset Analytics. These products have been successfully deployed in leading enterprises and we are helping customers extract greater RoI from their IT Infrastructure assets & investments. Web App Security Audit Services Locuz Enterprise Solutions 401, Krishe Sapphire, Main Road, Madhapur, Hyderabad , Telangana, India