SECURITY ASSESSMENTS AND TESTING
SPECIALIZED SECURITY TESTING AND
ASSESSMENTS FOR WEB APPLICATIONS
SPECIALIZED TESTING & ASSESSMENTS
Ponemon Institute asserts that 45 percent of breaches exceed $500,000 in losses. Furthermore, the International Data Corporation predicted that companies would begin to use web applications for more than just direct communications regarding transactions, but would also increasingly use web apps for marketing, customer service, and the sharing of other significant information. The use of web applications for integral business operations makes them a prime target for hackers and cyber-attackers. Suitable risk management and security assessment programs must be adopted to protect businesses from the offensive fronts that could jeopardize one of the main online functions of their corporate infrastructure. The attack surfaces associated with web applications must be understood and all possible attack vectors must be analyzed and mitigated. Mobile applications and web applications share many characteristics both in their engineering architecture and in their security needs. These similarities include programming languages used for development and security flaws present in both, such as weak encryption ciphers, code injection security holes, and more. However, from a security perspective, the two types of apps differ in significant ways.
Web applications are often linked directly to important back-end database servers, which can often be accessed in an unauthorized manner using SQL injection (SQLi) attacks. HTML files located on a web server within a DMZ, however, are often protected with a Web Application Firewall (WAF), along with a Network Intrusion Detection System (IDS), and Network Firewalls. Even with such protection a website often provides a direct access interface for hackers to inject code in order to manipulate fields, bypass authentication, and inject reverse shells, rootkits, and backdoors.
A WEB APPLICATION MAY SEEM SIMILAR TO A MOBILE APP, BUT THEY HAVE THEIR OWN UNIQUE NEEDS
WEB APPLICATIONS OPERATE ACROSS
A LARGER SET OF PROGRAMMING LANGUAGES
EACH LANGUAGE HAS UNIQUE WAYS IN WHICH IT SHOULD BE TESTED
• Dynamic application security testing • Manual penetration testing • Static source code security analysis