Application Security Approach

Transcription

1 Technical Approach Page 1

2 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2

3 1. INTRODUCTION Page 3

4 It is a Unsafe Cyber world.. Global in minutes due to Cyberspace Human systems can no longer react FACT!!!! 99.9% secure = 100% Vulnerable! Page 4 Source from Internet

5 Highest Security Risk Web application attacks represent the greatest threat to an organization s security. Page 5 Source from Internet

6 Need for Secure Application Security OWASP Top 10 RISK Page 6

7 2. WHAT IS AN APPLICATION SECURITY? Page 7

8 What is Application Security A form of stress testing, which exposesweaknesses or flaws in a Web Application, Art of finding a ways to exploit Web Application. Insecure Cryptographic Storage Security Misconfiguration Cross Site Request Forgery (CSRF) Insecure Direct Object References Broken Authentication and Session Management Cross Site Scripting (XSS) Injection Flaws Page 8

9 3. APPROACH Page 9

10 Typical Approach Authentication Assessment (Grey Box Assessment) Dynamic Pages / Static Pages Login Page Provided with Login Credentials Non-Authentication Assessment (Black Box Assessment) Dynamic Pages / Static Pages Publically Available Pages Login Page / No login page Not Provided with Login Credentials Page 10

11 4. METHODOLOGY Page 11

12 Methodology for Application Security Deliverables 07 Scope / Goal Definition Exploitation Attempts Application Discovery Vulnerability Assessment Threat Assessment Infrastructure Analysis Page 12

13 1. Scope/Goal Definition What type of Assessment to be conducted Authenticated Assessment Non-Authenticated Assessment Which Web Application the test will be conducted Duration of the test Page 13

14 2. Application Discovery Web application discovery is a process aimed at identifying web applications on a given infrastructure.thelatterisusuallyspecifiedasasetofipaddresses(maybeanetblock),butmay consistofasetofdnssymbolicnamesoramixofthetwo. This information is handed out prior to the execution of an assessment an application-focused assessment. Page 14

15 3. Infrastructure Analysis Conducting Analysis to find the location of Web Application in the Infrastructure. Do the analysis of what is placed to protect Web Server & find out gaps of the placement. Check for the details for how is Web Server, Application Server and Database Server Located. 15 Page 15

16 4. Threat Assessment Threat Assessment is conducted based on the findings of Step 2 and Step 3. All the possible Threat related to the Application and Infrastructure are Assessed in this phase. Page 16

17 5. Vulnerability Assessment Tool Based Scan is conducted based on the Scope defined in the step 1 Authentication Assessment(Grey Box Assessment) Dynamic Pages/ Static Pages LoginPage Provided with Login Credentials Non-Authentication Assessment (Black Box Assessment) DynamicPages/StaticPages Publically Available Pages LoginPage/Nologinpage Not Provided with Login Credentials Our Consultant team does analysis based on the manual intelligence False Positive/ False Negative Alcumus consultants team conduct analysis to find False Positive and False Negative. Vulnerabilities are rated as Critical, High, Medium and Low after the analysis. Page 17

18 6. Exploitation Attempts HAS Two Sub Stages I. Attack & Penetration Known / available exploit selection Tester acquires publicly available s/w for exploiting. Exploit customization Customize exploits s/w program to work as desired. Exploit development Develop own exploit if no exploit program available Exploit testing Exploit must be tested before formal Test to avoid damage. Attack Use of exploit to gain unauthorized access to target. II. Privilege Escalation What can be done with acquired access / privileges Alter Damage What not Team of consultants at Isolutions will be conducting POC to exploit the Critical and High Vulnerabilities. Page 18

19 7. Deliverables Organize Data/related results for Management Reporting Consolidation of Information gathered. Analysis and Extraction of General conclusions. Recommendations. Page 19

20 Thank You! Infopercept Consulting Pvt. Ltd. H-1209, Titanium City Center, Anand Nagar Road, Satellite Road, Ahmedabad Page 20

21