Application Security

Sense of Security has extensive experience with assessing application security – web (browser based), non-web (client/server, compiled binaries, command line, etc), mobile, including front-end and back-end systems.

History has proven that software defects, bugs and logic flaws are consistently the primary cause of commonly exploited application software vulnerabilities. These can lead to unauthorised access of your networks, systems, and applications information.

Web Application Security and Web Services Security

According to research by Gartner, an estimated 70% of all security breaches are due to vulnerabilities within the web application layer (attacks exclusively using the HTTP/HTTPS protocol). Traditional security mechanisms such as firewalls and IDS provide little or no protection against attacks on your web applications.

Our Methodology and Approach

A web application security review identifies vulnerabilities inherent in the code of a web application itself, regardless of the technology in which it is implemented, or the security of the web server or back end database on which it is built. Specifically, it analyses the critical components of a web-based portal, e-commerce application, or web services platform. A web application audit can be performed separately, or in conjunction with a penetration test, as both assessments are complementary and model threats from different perspectives.

Using our detailed methodology, and a combination of manual techniques and proprietary and commercial tools, this type of assessment pinpoints specific vulnerabilities and identifies underlying problems in the web application.

As part of a web application security assessment, our team will analyse the following key areas within your applications:

  • Architecture
  • Business Logic, Functional Specification & Implementation
  • Authentication
  • Access Control & Authorisation
  • Cryptography
  • Session Management
  • Data Validation
  • Error Condition Handling & Exception Management
  • Data Confidentiality
  • Management Interface
  • Privacy Concerns

Our approach to web application testing and web services security is consistent with the practices documented in the Open Web Application Security Project (OWASP) guides, and is complemented with the extensive experience our consultants have gained by performing hundreds of prior engagements.

Typical Findings

Our testing commonly reveals web application vulnerabilities including, but not limited to:

  • Hidden manipulation
  • Parameter tampering
  • Cookie poisoning
  • Cross Site Scripting (XSS)
  • Stealth commanding
  • Forceful browsing
  • Directory traversals
  • Session hi-jacking
  • Denial of service
  • Information disclosure
  • Backdoors and debug options
  • Configuration subversion
  • Buffer overflow
  • Vendor option exploitation
  • Access to administration areas and internal modules
  • SQL injection
  • Improper management of permissions
  • XML/SOAP vulnerabilities
  • HTTP Attacks.

 

Our Services

We can assist with the development of application security frameworks, application development training, the implementation of secure Software Development Lifecycles (SDLC), through to source code reviews and application penetration testing.

Sense of Security is also experienced with performing web application penetration testing which addresses the annual PCI DSS Compliance test requirements.

Our Team

Our consultants are not only security experts, but also have extensive software development knowledge and experience. This translates to pragmatic solutions and consistently successful client outcomes.

Web Application Security Resources

 

Recent IT Security Advisories

Sense of Security is recognised as Australia’s leading application security firm. Please visit our advisories page for a list of recently published advisories.

 

To discuss how our specialist services can help your organisation with application security please contact us on 1300 922 923 r complete the enquiry form by pressing the button below.

Contact Us