Web Applicaton Security Testing and Code Reviews

Web applications are usually the most exposed part of an organization's IT infrastructure. Being custom-developed often makes web applications vulnerable to attack. Processing valuable business data and tapping into back end systems makes them an entry point into the company IT system. Thus securing web applications is an important task in overall security program of any organization.

We offer web application security testing and security code review services.

A security test simulates an attack on a web application and aims at discovering as many security problems in the application as possible. The test is usually performed both from a perspective of an external unauthenticated attacker and from a perspective of an authorized but malicious user. A source code review supplements a security test allowing to discover less obvious bugs, find all occurrences of a given problem within the code base and give better advice to the application developers.

For web application security tests we generally follow OWASP Methodology covering OWASP Top Ten:

  • A1 - Injection
  • A2 - Broken Authentication and Session Management
  • A3 - Cross-Site Scripting (XSS)
  • A4 - Insecure Direct Object References
  • A5 - Security Misconfiguration
  • A6 - Sensitive Data Exposure
  • A7 - Missing Function Level Access Control
  • A8 - Cross-Site Request Forgery (CSRF)
  • A9 - Using Components With Known Vulnerabilities
  • A10 - Unvalidated Redirects And Forwards

For source code reviews due to different technologies used in various applications it is difficult to provide a specific methodology. The general approach used is as follows:

  1. Understand the business purpose of the application and potential security risks from business point of view. This step requires a demo of the application with an explanation of how it is used.
  2. Understand the code structure. This step requires a walk-through of the source code identifying and describing the main units (i.e. packages, classes, etc.)
  3. Identify application entry points where the user-supplied data enters the application flow.
  4. Trace the data flow through the application and document the implemented logic. This step usually allows identifying business logic problems
  5. Check “known dangerous” operations (file uploads, file handling, SQL operations, encryption and signature verification, etc.) This step usually allows to identify “technical” security bugs, such as SQL injection, directory traversal, etc.
  6. Check for technology-specific problems. This depends on frameworks and technologies in use.

At the end of the assignment a meeting with the developers will be organized to explain and discuss the discovered problems and the ways to avoid them.

As a result of a web application security test and/or code review we deliver a report consisting of the following parts:

  • Summary. The first part will contain a high-level overview of the work that was performed and the most important issues which were identified.
  • Findings and recommendations. This is the most important part of the report, listing all discovered security problems (ranked according to their perceived severity). For each listed issue, recommendations are included that provide guidance on how the issue could be address or mitigated.
  • Detailed test results. The final report part provides a detailed technical overview of the tests which were executed, together with the outcome of these tests. Inclusion of the detailed list of tests together with the outcome allows independent test validation.

The report will be delivered in electronic format, using the Adobe Acrobat (PDF) format.

Uncovered security issues will be ranked according to an objective severity rating as perceived by the engineers executing the project.