Global Digital Forensics Application Assesment and Testing

New York Boston Washington, DC

San Francisco Los Angeles Las Vegas

Chicago Denver Albany Los Angeles

Europe Asia South America    

Computer Forensics Electronic Discovery Security Auditing
  Home | Contact | Site Map

 

COMPUTER FORENSICS Forensic Services

Email Forensics

INCIDENT RESPONSE

TRAINING
CORPORATE SERVICES
ATTORNEYS

PRIVATE INVESTIGATORS

COMPUTER FORENSIC FAQ

COMMON MISTAKES

QUICK ANALYSIS PLAN

FORENSIC PROCESS

CASE STUDIES

CORPORATE CV

REQUEST A QUOTE

FORENSIC LINKS

 

ELECTRONIC DISCOVERY
E-DISCOVERY SERVICES

DISCOVERY CONSULTING

EXPERT WITNESSES
CASE STUDIES

EVOLUTION OF DISCOVERY

STATE OF THE LAW

E-DISCOVERY LAW

E-DISCOVERY LIBRARY

SPOLIATION CASE LAW

E-DISCOVERY NEWS

REQUEST INFORMATION

CORPORATE CV

 

DATA SECURITY
MAINFRAME SECURITY
APPLICATION SECURITY

NETWORK SECURITY

SECURITY ALERTS

END USER TIPS

SECURITY LINKS

 

SOFTWARE
MaxPatrol

KEY FEATURES

ACCURACY

SCAN QUALITY

PERFORMANCE

RELIABILITY

COMPARISONS

CASE STUDIES

DATABASE

UPDATE SYSTEM

DOWNLOAD

 

RESOURCES
CONTACT INFO
COMPUTER FORENSICS
ELECTRONIC DISCOVERY
PARTNERS
PRIVACY POLICY

TERMS OF USE

 

 

New MaxPatrol Demo Available!
New Demo version includes new intelligent algorithms for detection of blind SQL-injection vulnerabilities in ANY (including custom) web-applications.

 

Go to Demo Download page

APPLICATION SECURITY REVIEW

The new gateway for intruders is through the Application Layer.  Improperly configured or improperly controlled applications can open the doors for hackers to access confidential information.  With more and more internet applications being implemented to allow for on-line banking, bill pay, account information or policy information tying into databases containing personal information or corporate secrets, the hacking community has found attacking an application to be less complex and reap bigger rewards.  For instance, if a hacker were to compromise a database through a companies on-line store, they may be able to gain personal information, like billing addresses, credit card information or any number of personal information fields that allow for identity theft, credit card fraud or information brokering. 

 

Organizations that use ASP's (Application Service Providers) and don't host their own applications should be aware if the hosted application was tested.  Once an organization decides to trust an ASP with its data, the diligent practice would be to have require the ASP to have the application tested and supply a copy of the report to the organization.  This process allows an organization to understand and minimize risk. 

 

Application Security Testing lets you know, ideally, before an application goes live, if it is vulnerable to compromise by an attacker from the outside or from within.  Is the application vulnerable to hacking, SQL Injection or Cross Site Scripting?  Before you trust confidential customer data to an ASP be assured that the application was properly tested for vulnerabilities.  GDF can test an application for vulnerabilities, help secure it and make sure that your organizations data is secure.

 

Many clients opt to have GDF test any application that is hosted by an ASP and may contain sensitive data.  As in any situation, prevention is far less costly than response. 

 

What Is Tested

 

Application Security Testing

bullet

Server Configurations
bullet

Session Management Security
bullet

Cookie Poising
bullet

Cross Site Scripting
bullet

CGI Manipulation
bullet

Buffer Overruns/Overflows
bullet

Weak Passwords
bullet

ACL Integrity
bullet

Command Injection
bullet

Forceful Browsing
bullet

Cryptography Configuration
bullet

Hidden and Form Field Manipulation
bullet

And More..

The Process

Phase 1. – Analysis and Review

1.      Understand the use of the application and the types of Data Client may entrust to them.

2.      Review of vendors security policies and certification or audit documents available have i.e. SAS70

Phase 2 – Basic vulnerability test

           1.      Physical inspection of the data center and equipment.

a.       If a certification, such as SAS70 is not available, GDF will visit the physical location of the Data Center and review policy and procedure, verify the existence of security devices and interview key security personnel in order to formulate a basic rating of the physical security and the ability of the vendor to maintain reasonable security levels.

2.      Network Vulnerability Analysis

a.       While not a full scale penetration test, the Basic Network Vulnerability Analysis will allow GDF to determine if common exploits or security holes exists that could expose Client Data.  Verification of security device configuration, authentication and encryption methodologies and overall security and exposure from the outside will be tested.

b.      A rating of the basic security will be generated.

3.      Application Security Analysis

a.       A review of the application source code and the security implementation for the application will be reviewed and rated.

b.      The methodologies and implementation of any database connections and the code used to work Client Data will be reviewed and tested for possible exploits or security flaws.

c.       Overall test of the security of the application by attempting to compromise the application and its related systems will be conducted.

d.      An overall rating or the applications security will be generated.

4.      Authentication Methodology Review

a.       A review of the technologies used to authenticate users and protect data in transit will be reviewed.

b.      A review of the policies governing authentication will be reviewed from both the vendors aspect and Clients internal policies to ensure best practices are being followed.

c.       A compromise of those technologies will be attempted.

5.      Ratings and Recommendations

a.       GDF will provide to Client an overview of the overall security model and its implementation.

b.      Detailed Suggestions on improving the overall security model.

c.       Suggestions to improve and maintain the Authentication model of the application.

d.      A follow up to ensure that suggestions were implemented correctly and are following best practices.

For more information please contact an account manager or email info@evestigate.com


 

New York ° Washington, DC ° Tampa ° Los Angeles ° Chicago

Boston ° Miami ° Denver ° Albany ° San Francisco ° Los Angeles

Phone 1-800-868-8189
phone 727-287-6000

FAX: 727-287-6011
Copyright 2005 Global Digital Forensics