Application Backdoor Assessment. Complete securing of your applications

Transcription

1 Application Backdoor Assessment Complete securing of your applications

2 Company brief BMS Consulting is established as IT system integrator since 1997 Leading positons in Eastern Europe country Product portfolio IT Security Clouds, Migration and IT Support Business software development Internal processes are certified according to the quility requirements of ISO 9001 international standard 60+ technology partners around the world Our honorable clients: 80+ certified engeneers and consultants 500+ projects in government, industry, banking and telecom sectors

3 200+ Employees 60+ Vendors InfoPulse A part of thepartner Nordic IT group EVRY

4 Application Backdoor Assessment Background Typical application consists from tens of thousands stings of code and each string can contain peace that can behave unpredictable way. There are a lot of reasons for backdoors and vulnerabilities to appear in your software: Human errors Sabotage Government anc competitor s espionage Orginized crime You need to inspect every peace of code to be sure that you application is safe to use. Expecially it relates to software that suffer frequent changes or updates. Brif service description Application backdoor assessment is a special type of source code audit that is directed to insure full code safety. This assessment is based on static analysis of source code with dynamic confirmation of vulnerable or dangerous parts of code. We use as proven automatic tools for static code analysis as manual code inspection by professional application security engineers. Main features More than 80% of possible vulnerabilities can be found and corrected before application go to operation More than 10 different programming languages are supported All vulnerabilities and backdoors fount are been thoroughly inspected through dynamic testing and threat modelling All assessment process is fully controlled by client Who will need it Each company that uses custom developed software (both inhouse and outsourced) All candidates to PCI DSS or ISO compliance Companies that became a target of attack or hacking activities and needs to understand all possible ways of intrusion Companies that deal with sensitive financial or personal information InfoPulse Partner A part of the Nordic IT group EVRY Companies that migrate their software to new platform or in the cloud Everyone who accepts in production IT systems that suffer from custom software changes or updates.

5 Static + dynamic analysis Dynamic Analysis reveals about Static Analysis reveals about Hybrid Analysis reveals about 20% 80% 100% vulnerabilities vulnerabilities vulnerabilities Testing of running application that allows to identify the most obvious vulnerabilities, which real hackers will find first. Application vulnerability scan in the "rest allows to find the most flaws - even those that hacker will not be able to use. Integrated approach means that all static analysis findings go through functional verification. It allows to reveal almost all errors and efficiently plan measures for their remediation and provide the best protection

6 Tools and Standards OWASP Code Review Guide v1.1 OWASP Testing Guide v3 IBM Security AppScan Source / HP Fortify

7 Supported Languages Java JavaScript JSP ColdFusion C, C++, Objective-C NET (C#, ASP.NET and VB.NET) Classic ASP (JavaScript/VBScript) PHP Perl VisualBasic 6 PL/SQL T-SQL SAP ABAP COBOL

8 Project plan Project management: PM[10%] Consultant[30%] Consultant[30%] Consultant[100%] Consultant[20%] Engineer[100%] Engineer[100%] Engineer[30%] Consultant[100%] Preparation Static testing Hybrid testing Dynamic testing Report design Presentation of results Agreement on volume, tools and work area (SOW) Obtaining the necessary permits Getting the initial data Automated source code scanning by tools (static method) Manual inspection of tools results (static method) Application flow analysis (dynamic method) The identification of vulnerable applications Determination of immediate steps to address the most critical vulnerabilities Recommendations to address identified vulnerabilities Presentation of results Coordination of the plan to address identified vulnerabilities

9 Application Backdoor Assessment Project Results Assessment Report that includes : Identified vulnerabilities and backdoors Identified high-priority steps to be done to address the most critical problems List of approved vulnerabilities tested by the auditor Verification that the vulnerability or backdoor can be exploited on running application (in a test environment) Recommendations to address identified problem pieces of code Benefits Very fast results Full confidentiality is guaranteed Detailed recommendations and phone support Follow-up checks are included Free vulnerability scan during 1 year guarantee period Pricing Lines of code Duration, workdays Price, Euro

10 Our competences and experience Our team Several sub teams of professional: Pentesters Developers Software engineers Software testers Security architects Certified CISA, CISSP, CEH Our experience 13 years in CyberSecurity More than 20 software penetration tests More than 100 satisfied customers Deep expertise in Corporate IT Security Oracle SAP Microsoft,Net Java Android Security ios Security Internet banking security BMS strengths Professional teams specialized in many areas Multilingual staff Guaranteed quality Unique approach to project management

11 Thank you for attention! 11