Application Runtime Security Assessment
Real-time analysis of an application's security pinpoints the various external threats that the application faces. By analyzing the application's security from the point of view of a malicious attacker, Security Compass consultants are able to assess critical breach points and suggest possible mitigation steps.
- Analyze the application for vulnerabilities in a run-time environment
- Adopt the mindset of a malicious attacker and evaluate security threats by attempting to compromise the application
- Review application run-time logs to ensure security compliance
- For the most comprehensive testing coverage, combine Application Runtime Security Assessment with Source Code Review and Threat Modelling
Key Business Benefits
- Realistic analysis of theapplication's risk in a runtime environment
- Significant risk reduction for critical applications prior to public deployment if this process is undertaken in parallel with the Quality Assurance (QA) testing phase
- Understanding of risk posed by malicious application users and external attackers
- Improved compliance with regulations and control frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS), COBIT, ISO 27001 (formerly 17799), GLBA, etc.
Security Compass' approach to Application Runtime Security Assessment involves:
- Server Scanning—Scan servers for insecure configurations, default installs, and missing patches
- Server Exploitation—Determine to what depth an attacker from the Internet can gain access to the network by exploiting server vulnerabilities. This step involves running exploits and is taken after co-ordinating with the client.
- Information Gathering—Gain a better understanding of the application by browsing the website as a typical user. This includes mirroring the site and searching for information about the application on the Internet ('Google Mining')
- Source Sifting—Review source for elements such as interesting comments, hard-coded ids, etc.
- Architecture Enumeration—Develop an architecture diagram of the application outlining the technologies used
- Attacking Authentication—Attempt to bypass the application's authentication mechanisms
- Attacking Session / Cookie Management—Attempt to exploit session management vulnerabilities and manipulate client cookies
- Attacking Input Validation—Input validation is critical to effective application security testing. Failure to perform input validation in multiple areas could lead to a variety of attacks
- Architecture Review—Perform an architecture review using all the information gathered
The end result of this activity is a report detailing the vulnerabilities discovered, where they were discovered, and how they can be remediated.
Security Compass also provides strategic analysis of vulnerability root causes and both enterprise-wide and department/group-specific initiatives that can cost-effectively reduce vulnerabilities in the future.
Please refer to the Application Runtime Security Assessment Case Study for an example of our work.