Web application security assessment
Web applications are becoming ever sophisticated and complex, they also now form a large percentage of Internet sites that people visit. These range from simple dynamic portals such as e-commerce sites and partner extranets, to full blown enterprise applications such as document management systems and ERP applications. Application availability and the integrity of the data that they store and process are critical to all companies.
The cost of a successful attack and the subsequent compromise of the application to any company can be significant, both financially as well as the damage caused to the reputation. The risk of compromise has risen significantly with the increased complexity of web applications. The growing interest in security breaches has been highlighted by the media and the proliferation of different groups of potential attackers.
Over the last few years the network security market has matured and is now offering fewer opportunities to exploit systems through network based vulnerabilities. This has lead hackers to start focusing their attempts on exploiting web applications.
Security breaches and other successful attacks executed by malicious attackers have recently been highlighted; attacks against Twitter, Facebook and Google have all made the news over the last year. The smallest of breaches, that once historically may well have gone unnoticed by the public, are now often publicised, greatly increasing the risk to an organisation’s reputation.
What are the core threats?
Any type of web application that ends up storing and / or processing sensitive and personal information is typically exposed to five generic threats:
• Authentication Bypass – is the process of obtaining access to the application and its underlying data through circumvention of weak authentication controls, such as the ‘Forgotten Password’ page.
• Privilege Escalation – is the act of exploiting a bug, design flaw or configuration oversight in the application to gain elevated access to the application and its underlying data.
• Loss or Modification of Data – is the result of the data store being modified, deleted or copied by one of the above methods.
• Compromise of Systems – is the result of exposing internal connected systems such as intranets, partner portals etc. via the exploitation of a trusted application or path.
• Denial of Service – is the result of the application becoming unavailable due to exhausted resources such as bandwidth or number of web connections.
Why should you perform a Web Application Security Assessment?
You should consider performing a Web Application Security Assessment on any corporate web applications that store and process sensitive corporate or personal information.
If you are considering whether or not to perform a Web Application Security Assessment performed
you should ask the following questions:
• Does the web application store and process personal information that is covered by the Data Protection Act?
• Does the web application store and process financial information?
• Does the web application store and process private corporate information?
• Does the web application require user authentication or utilise multiple levels of access for viewing?
• Does the web application connect to other systems within the corporate network?
• Does the web application contain any third party components?
• Is the web application solely for internal use or public facing?
If after reading the above questions and you have answered yes to any of these, you should strongly consider a Web Application Security Assessment.
How will a Web Application Security Assessment improve your corporate security?
Having a Web Application Security Assessment performed regularly will help your company:
• Identify and understand any potential security breach points.
• Verify the application’s security footprint.
• Validate the effectiveness of security controls within the application.
• Identify and eliminate any errors in the application prior to deployment.
• Provide an insight into how efficient the security controls are for development and QA testing.
• Have confidence that any third party applications that are used within the web application will keep the security integrity of the application.
• Protect any Intellectual Property and prevention of any financial loss occurring from a successful attack.
TeraByte IT offers a number of benefits that will help your company:
• TeraByte IT use proven methodologies that build upon recognised Industry Standard approaches such as Council of Registered Ethical Security Testers (CREST), Open Source Security Testing Methodology (OSSTM) and Open Web Application Security Project (OWASP).
• TeraByte IT security consultants are certified as Certified Ethical Hackers which is based upon a foundation of IT knowledge that span decades.
• TeraByte IT not only concentrate upon the security aspect of testing, but also have knowledge and experience in day-to-day running and administration of large networks, which can aid in troubleshooting or configuration of specific issues.
• TeraByte IT work towards providing quality work and ensure that the solutions and reports provided to clients are second to none.