We are a leading application security company with a full range of services around application threat modelling, security assessments, secure code review, trainings on secure coding, and implementing an application security strategy for your organization.
Our consultants have many years of experience in reviewing the design, code and features of applications from a security perspective cutting across various technology platforms such as ASP, ASP.NET, Java, PHP, Ruby on Rails, C++, etc. Also, we have done a number of mobile application security assessments across Android, iOS, and Blackberry platforms.
Application Security Assessment
Application Security Assessments are designed to identify and assess threats to the organization through proprietary applications or those delivered by vendors with little or no customization. Our application security assessment methodology is designed around the following well known security assessment guides such as:
- OWASP Top 10 (Open Web Application Security Project)
- Threat Modeling processes such as STRIDE and DREAD
- OWASP’s Software Assurance Maturity Model (OpenSAMM)
- Open Security Testing Methodology Manual (OSTMM)
- Web Application Security Consortium (WASC) guidelines
As your applications may provide interactive access to potentially sensitive materials, it is vital to ensure that these applications don't expose the underlying servers and software to malicious attack(s) or allow any unauthorized user to access, modify or destroy data or stop critical system services.
NII's Approach to Application Security Assessments
NII uses a number of application security testing techniques. This might include black-box testing, grey-box testing, fault injection, and behaviour monitoring. This is done along with business logic testing which might exploit or abuse an application's functionality to carry out unwanted actions such as privilege escalation attacks, authorization bypass, parameter manipulation, etc..
Application Threat Modeling
Application Threat Modeling is the process of identifying and understanding the threat to your business that are inherited by the software application you build by analysing the design of the application.
Threat Modeling enables you to make effective application risk management decisions in the Software Development Life Cycle. It prioritizes your business's security requirements allowing you to understand and define security strategy from a defense perspective. We typically adopt the industry standard threat modeling approach by using STRIDE and DREAD models to evaluate your overall application security posture.
Key components of the threat modeling process
Here are the key components for a typical Thread modeling process
- Identify the assets: The assets could be the data or it could also include the web pages, the source code, and the underlying infrastructure.
- Create architecture overview: Document the functionality of the application, architecture, and physical deployment and configuration, as well as the technologies that form part of the solution.
- Decompose the application: Break down the application into its components by identifying trust boundaries, data flow, entry points, and privileged code. This stage also requires identifying the key security objectives of the application in terms of authentication, cryptographic requirements, input validation, authorization configuration management, session management, etc.
- Identify the threats: This can be done using STRIDE model. Find more about STRIDE here.
- Document the threats: Document the threats using the template provided that includes at a minimum the threat description, the threat target, the risk, the attack technique, and the suggested countermeasures
- Rate the threats: The DREAD model can be used to rate the threats. Find more about DREAD here.
Development of Secure Code Development Guidelines
Based on the globally accepted OWASP guidelines, we help clients by developing comprehensive secure coding guidelines, which not only address the programming language in use, but also the configuration of the platform being used to run the application. For instance, our PHP secure coding guidelines incorporate security configurations to be done on php.ini, .htaccess and httpd.conf files in order to ensure that vulnerability in these does not result in an application compromise.
Source Code Review
Source code analysis can not only identify which statement, on which line of code is vulnerable, but can also identify the tainted variable that introduces the vulnerability, and is able to illustrate the propagation from root cause, to end result. This provides application developers with an end-to-end overview of each instance of vulnerability, allowing them to quickly understand the nature of the problem.
Benefits of Risk-Based Security Assessment
During application security assessments, an important aspect often overlooked is the business logic testing which directly impacts the business operations. This needs to be tested by understanding the business process running on the system and then by building business logic test cases accordingly. Having worked with organizations across numerous industries, we have a fairly strong understanding of typical business process such as online trading, e-commerce, supply chain, retail banking, treasury, payroll, procurement, etc. This helps us build in-depth business logic cases even in a routine penetration testing exercise and add far more value than a plain-vanilla penetration testing exercise.
Further, our research shows that one-size-fits-all doesn’t work when it comes to application security strategy. Having worked with organizations of all shapes and sizes and at various levels of maturity when it comes to application security, we have realized that every organization needs to adopt a customized approach for application security. For example, secure coding practices don’t make sense for an organization that typically buys or outsources its application development. However, strong vendor management practices definitely make a huge impact in terms of the security of applications delivered by the vendor.
Related Articles/Blog Posts
- Inside Dalai Lama Website Attacks: Analysing The “Watering Hole Attacks”
- Critical Joomla File Upload Vulnerability
- Indian APT – the Hangover Effect – Full Report
- File Fuzzing Using Minifuzz
- Source Code Review
- Mobile Security Testing
- Penetration Testing
- Information Security Risk Assessment
- Spear Phishing