|
|
|
Application Security Audit |
|
| |
"Software bugs... cost
the US economy an estimated $59.5 billion annually... a
third of these, [estimated at] $22.2 billion, could be eliminated
by an improved testing infrastructure that enables earlier
identification and removal of software defects...",
National Institute of Standards and Technology (NIST),
May 2002
Security testing of application software involves determining all avenues of input to the program and ways in which users can circumvent controls that the software has put in place. Securing your database, operating systems and networks amount to nothing if your application reveals your data to unauthorized users. Security auditing has to complete the entire gamut of systems and must include auditing of bespoke applications being used within your organization. A single vulnerability in the software could potentially lead to not only the application crashing, but as has been proven, the server itself could be compromised. Therefore, the main quality of any application audit has to be comprehensiveness. Our audits are exhaustive, and are not limited to running a standard set of tools on the software.
Methodology
We will first carry out a detailed study of the application, its components and their interactions. We will then carry out a Risk Assessment exercise for the application. This will identify the Threats to the application, the Impact from such Threats, possible Vulnerabilities within the application that would allow these threats to materialize, and the Probabilities for occurrence of the Threats.
We will then analyze the Application for a number of possible vulnerabilities, not limited to the following:
- Buffer Overflows
- Format String bugs
- SQL Injection
- Cross-Site Scripting
- Information Disclosure
- Path Disclosure
- Directory Traversal
- Session Management Vulnerabilities
- Weak Encryption Algorithms/Protocols
- Authentication bugs
- Authorization bugs
- Vulnerabilities in the way the application interacts with the Database, Operating System and Network layers
- Vulnerabilities in the in-built Auditing mechanism of the application
- Known vulnerabilities in third-party components that the application may rely on
Source Code Audits
If the source code of the software is available, you may also engage us for a comprehensive source code audit. Our experience on various technologies and development platforms is as follows:
| Operating Systems |
Windows, HP-UX, AIX, Solaris, Linux, Open VMS, Novell Netware |
| Web Servers |
IIS, Apache, Netscape Enterprise Server |
| Databases |
Oracle, MS SQL, MySQL, PostgreSQL, Sybase, SQLBase |
| Web Technologies |
ASP, ASP.NET, JSP, Java Applets/Servlets, Perl, PHP |
| Programming Languages |
C/C++, Visual Basic, VC++, Visual.NET, C#, Shell Scripts, Java, PL/SQL, T-SQL, Cobol |
| Tools Used |
RATS, ITS4, Flawfinder, Customized scripts |
Why Titanium?
The methodology for testing software has been developed
as a result of our experience and efforts. We have been
actively involved in independent research and have found
security vulnerabilities in mission-critical software from
vendors such as Oracle, Microsoft, Macromedia, Symantec,
Cypherix and others.
Deliverables
At the end of the application audit we deliver to the client:
- A complete list of vulnerabilities discovered in the system, ranked by their severity in terms of the privilege levels that might be gained by an attacker.
- A detailed set of recommendations to overcome these vulnerabilities.
- A handbook on secure coding practices for the language, platform, and environment existing at the client's end.
- A transfer of knowledge explaining our testing methodologies and evaluation criteria for the audit.
- If we develop any code to exploit the discovered vulnerabilities, then this code will be handed over to the client as well.
You may contact us for a document detailing our methodology and approach towards auditing software applications
|
|
|
|
|
