Application Security Review and Testing

The objective of the ControlCase application test is to quantify the level of security exposure in your application environment. The application test is a security assessment of an application against specific application security criteria such as those defined by Open Web Application Security Project (OWASP). The assessment consists of tools based testing, but the majority of the assessment is done manually with a web browser or designated client software.

Tools Based Application Testing

As part of the application penetration testing, ControlCase will:

Run application testing tools (such as Acunetix) in multiple modes, in ascending intensity;
Platform only;
Unauthenticated safe;
Authenticated full (multiple user levels);
Run a vulnerability testing tool to perform platform security testing;
Run port scanners, Nessus and any other applicable tools;
Manually verify all vulnerabilities for validity and impact;
Save all vulnerability results for future reference.

Manual Application Testing

As part of this phase of the application testing, ControlCase will:

Use a local web-proxy to intercept and log all traffic;
Paros, WebProxy, Spike, Achilles, etc.
Walkthrough the entire application, logging everything for later reference;
Test every URL, form-field and cookie parameter;
Validate security vulnerabilities through application penetration testing.

ControlCase will also review the security of each of the following areas within the application:

Input validation (Server side and client side): SQL Injection, Cross Site Scripting (XSS), HTML Injection, Overflows
Access Control: Privilege Escalation, Profile Hoping, Forceful Browsing
Password Policy: Password Strength, Password Resetting
Session Management: Session Variable Strength, Session Timeout, Cookie Variables
Security Configuration: Web/Application Server, Account Lockout
Authentication Mechanism
Encryption: SSL, Cipher Strength, Data Encryption
Error Messages: Verbose Errors, Error Generation, Debug Information