Web Application Security Assessment

Organizations strive to protect the confidentiality and integrity of their customers and business partner data on the Web. In addition, regulations require that organizations maintain the proper controls to protect customer against unauthorized access

The primary objective of a Web application security assessment is to determine whether the application provides adequate security controls to protect against attacks that aim in gaining unauthorized access to sensitive data or application resources (i.e. databases, operating system). Malicious attacks can occur because Web-based applications often rely on insecure methods to track users, pass data, validate data, perform database queries and maintain sessions.

Palindrome Technologies uses a proven and comprehensive Web application vulnerability assessment methodology to verify the security posture of a Web Application of any size and complexity. The methodology is based on industry requirements and practices (e.g. VISA/MC PCI and OWASP) and includes:

• Review related literature

• System Related Documentation (Architectural requirements, Design documents) • System Management & Interactions (Administrative Guides, Configuration Manuals, End-User Manuals)

• Verify application controls including input validation and processing (i.e. buffer overflow, SQL injection, cross site scripting), session creation, management and termination, and data confidentiality and integrity

• Role based evaluation of security controls and application functionality. This includes attempts to access applications resources or functionality without proper user credentials in order to identify weaknesses in the application design or implementation.

• User accessibility and input validation; Simulate authorized and unauthorized user activity that includes attempts to manipulate properties such as hidden form elements and session ID’s.

• Identify weaknesses in the configuration of the encryption, authentication and authorization mechanisms.

• Assess the security posture of components that support the application such as backend databases, MQ series servers, LDAP, load balancers and others.

• Assess the client/server communication protocols such as IP, TCP, SSL, SNMP, RPC or HTTP that are used to transmit data between the client and the server where the application is housed to identify related vulnerabilities.

• Verify logging and intrusion detection capabilities

• Generate actionable reports, with prioritized and categorized findings, to help maintain the proper security posture of the Web Application and supporting computing infrastructure (e.g. databases, LDAP servers, load balancers, authentication servers etc).

Experience

The principals of Palindrome have been conducting Web Application Assessments for over a decade. Customers include government and commercial organizations including financial, pharmaceuticals, airline, energy and telecommunications.