Application Security Assessment is designed to identify and assess threats to the organization through bespoke, proprietary applications or systems. These applications may provide interactive access to potentially sensitive materials. It is vital that they be assessed to
ensure that

the application doesn't expose the underlying servers and software to attack(s), and
a malicious user cannot access, modify or destroy data or services within the system.

Even in a well-deployed and secured infrastructure, a weak application can expose the organization's information assets to unacceptable risk. Visit the following links to get a better insight of our application security related research activities:

• Advisories of security vulnerabilities we discover
• Security testing tools that we have developed
• Articles that have appeared in various publications, highlighting our innovative approach
• Presentations we have made at various security forums, especially on application security

NII Approach to Application Security Assessments

NII uses a number of software-testing techniques (including black-box testing, fault injection, and behavior monitoring), as well as real-world situations to test each application. The NII methodology is as described below:

High Level Design Audit

High Level Design Audit identifies and analyzes:

Flow of information throughout the application environment
Sensitive data in different sections of the organization
Threats to the sensitive information in question

Source Code Audit

In this step the code is reviewed for vulnerabilities and threats that belong to these categories:

Cryptography
Authentication
Session Management
Data Validation
Exception Management
Authorization
Auditing and Logging

Black Box Testing

Testing Communication Behavior
Identifying Fault Injection Points
Identifying Client-side behavior of the application
Testing interactions with third-party applications
File Interpretation
Cryptanalysis


Benefits

Application Security Assessments help

Secure the flow of information through the application
Implement secure coding practices, remove logical, formatting flaws in the application code
Embedding security right from the design to the execution stage
Recognize the existing vulnerabilities and the extent of current and potential damages posed by the application
Harden technologies keeping in mind the involvement of people which is a key criterion for any strategy to succeed

Above all, the strategies recommended by NII at the end of the exercise will put appropriate application controls in place.