Scope of Security Testing
Web applications and products
Mobile Applications and products
With ever increasing need for business to open its doors to business, web application is perhaps the first face that an organisation has. This first face is also perhaps the first place to get attracted and attacked in our internet world. With ease of availability of tools and resources, and absence of secure development processes, the need for protecting you web applications is even higher than ever before. The process applies to both traditional web applications as well as mobile application security.
Best Practice Frameworks
OWASP Top 10 (2013)
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
How Coral can help?
We use a risk assessment approach that involves understanding the application/product using a structured methodology: The process involves the followings(not exhaustive):
- Functional review - understanding the business requirement
- Threat modelling: identification of applicable threats keeping in mind business functionality, features, application/product interfaces and users.
- Security in software development life cycle - this involves verification of security in the design and architecture of the software development process;
- Black Box testing – performed mainly through tools is aimed at identification of vulnerabilities through known vulnerabilities resources.
- White box testing – a much more detail analysis combining tools and analyst risk assessment approach looks for hidden vulnerability areas of the application which may not be visible through tools
- Code Review – line by line review (and most expensive) involves verification of functionality and security controls.
- Format report benchmarking strengths and weaknesses including detail remediation.
- Verification of closure after successful implementation.