Embed Size (px)
Citation preview
we45‘s Web Application Security Solutions
Web Application Vulnerability Assessment and Penetration Testing
Secure Software Development Lifecycle Implementation and Consulting
Application Security - Code Review and Walkthroughs
Web - Product Security Consulting and Design
Web App Security Testing - Case Study
One of the largest Messaging Gateways in the APAC region engaged with we45
Performed Web Security Tests for over 5 years with other providers, but not sure about results
Complex Application with multiple interfaces including Web Services
Engaged to perform Comprehensive Web Security Penetration Test
Key Objectives
Perform Comprehensive Security Test of Messaging Gateway Platform
Identify key risks to User Information
Perform detailed security analysis of Web Services - Revenue Effect
Provide comprehensive reports detailing recommendations
The we45 Approach
Application Overview and Threat Modeling
we45’s Security Experts identified the application’s key functionality through an Overview process.
Identified Key Potential Risks to the application through using Security Risk Assessment
we45’s Methodology - Created by CTO Abhay Bhargav, detailed in his book Secure Java for Web Application Development
Derivative of the world-class OCTAVE and NIST Risk Assessment Methodologies - Focused on Web Apps
Application Security Risk Assessment & Threat Modeling - 2
Application Security Threat Modeling - Critical in identifying potential attack scenarios
Identified Trust Boundaries for the in-scope Web Apps
Extremely useful for Code Reviews, Security Testing and Application Security Documentation
we45’s Security Experts perform Threat Modeling based on Microsoft’s renowned STRIDE Methodology
we45 Web Application Security Testing
Hybrid Methodology - Automated and Manual Web Application Security Testing for target application
Apart from commercial and open source assessment tools, we45’s Security Experts developed special scripts and tools to identify Security Flaws
Security Flaws assessed - OWASP Top 10, WASC Security Flaws, SANS Top 25, CERT-US Secure Coding Guidelines
Security Flaws for Web Services - evaluated in detail.
Security Testing Methodology
A Few Key Findings....
Deep-seated Injection Flaws in several sections of the application
Utilized specialized Injection attacks to gain access to backend database
Enumerated users and hashed passwords, including admin and DB users
Utilized Password cracking techniques to crack password hashes
Web Services Flaws
Unauthenticated Access to critical web services
Lack of Authorization checks and controls
Deep-seated issues identified with the REST Interfaces
Review & Presentation
Findings presented to Developers, Project Managers and CTO
Findings were explained in detail by we45’s Security Experts
Findings were prioritized and agreements on remediation were reached
Analysis & Reporting
we45 prepared a detailed Security Risk Assessment and Code Review Report
Report was ranked by severity of findings.
Findings were referenced with Industry metrics like CWE, CVE and so on.
Examples were provided as code-snippets with line number information
Multiple Recommendations and Remediation Strategies were provided
Executive Summary and Action Plan prepared for Management Action
Results & View into the Future
Results:
With we45’s support, client was able to remediate all the security flaws with the application
Enhanced Security through implementation of a Secure Software Development Lifecycle.
The Client was awarded by their industry peers for Security Practices and Security Initiatives
The Future:
we45 is the trusted Application Security Partner for this client
we45 also provides detailed product security consulting for the client’s products
we45‘s Web Application Security Solutions
Web Application Vulnerability Assessment and Penetration Testing
Secure Software Development Lifecycle Implementation and Consulting
Application Security - Code Review and Walkthroughs
Web - Product Security Consulting and Design
