De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Transcription

1 De-risk Your Applications SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

2 With the exponential increase in Web, Mobile, Cloud and IoT applications, the security risks and challenges in protecting sensitive data have also increased manyfold. Now, the focus on security is at its peak. This situation is challenging due to the rapidly evolving technologies as well as increase in attack vectors and entry points. Any security incident or breach will not only result in loss of sensitive data and damage the reputation of the organization, but will also result in loss of business and imposing of penalties due to non-compliances. Hence, organizations should focus more on considering security aspects at all stages of application development to avoid expensive and time-consuming changes to the Architecture / Code later down the development cycle. Based on our experience of testing over 150 applications, we have observed that most of the vulnerabilities exist at the application layer. This is a clear indication that application is the weakest link for hackers to attempt a break-in. At EVRY, we follow the industry standard OWASP based methodology to identify the vulnerabilities, suggest best practices in mitigating the risk and help our customers to move to production with confidence. EVRY s Certified Ethical Hackers have experience of conducting a large number of tests over several years on web / mobile applications and networks in various domains such as Banking & Finance, Insurance, Healthcare, Retail and ISVs. 2 DE-RISK YOUR APPLICATIONS

3 Offerings Web Application Security Network Security Mobile Application Security API Security Testing Types > > Threat modelling > > Vulnerability assessment > > Penetration testing > > Security code review > > Secure SDLC assessment Tools > > Burpsuite Professional > > Nmap > > Nessus > > Wireshark > > Metasploit Penetration Cloud Security IoT Security Guidelines > > Open Web Application Security Project (OWASP) Differentiators Compliances > > Industry standard methodology based on OWASP for better coverage > > Experience in conducting numerous security tests > > Experience in varied domain s from Banking & Finance, Insurance, Healthcare, Retail and ISVs > > Dedicated test lab with extensive tool kit > > PCI DSS > > HIPAA > > SOX DE-RISK YOUR APPLICATIONS 3

4 Subscription-based Security Testing as a Service (STaaS) Any application in its lifecycle goes through a lot of changes viz. new features addition, bug fixing, etc. These code changes may inadvertently introduce a security loophole that demands periodic vulnerability assessments. To tackle this, EVRY s annual subscription service for security testing includes Automated Scans and Manual Assessments. By doing this, we ensure to minimize security issues seeping into your apps. EVRY s Subscription-based Security Testing as a Service (STaaS) Quarterly Automated Scanning Quarterly Manual Vulnerability Assessment Benefits Automated vulnerability scanning Manual assessment & penetration testing of the application > > Periodic security validation against major releases > > Meeting security compliance > > Tracking vulnerability trend of application > > Cost saving 4 DE-RISK YOUR APPLICATIONS

5 Case Study Client Overview Our client is one of the major departmental store chain in the USA and sells apparel at discounts. They also have an e-commerce application where buyers can search and shop for popular brands at discounted prices. Business Requirement This client was planning for a major product release and wanted to ensure that there were no major security loopholes in their e-commerce application before taking a decision for moving to production. Hence, they wanted to conduct a thorough application security test. The scope was to conduct a detailed Vulnerability Assessment of the e-commerce platform and exploit the vulnerabilities by conducting penetration testing. The focus was manual assessment rather than tool-driven scans as another vendor had already finished tool-driven scans. EVRY s Solution Our Security Team first understood all the critical workflows of the application, identified all the entry points to the application and out-of-scope external services for the validation. Then we identified all the scenarios for validation, as per the industry standard methodology OWASP top 10. Our team then thoroughly tested the application for different type of attack vectors such as XSS, CSRF, session fixation, business logic bypass, sensitive information disclosure, insecure direct object reference and privilege escalation vulnerabilities to further identify around 20 vulnerabilities. EVRY created a detailed report of all the vulnerabilities along with defects severity and the remediation steps for fixing the identified vulnerabilities. We provided detailed recording of the defects for easy reproducibility. EVRY also retested the vulnerabilities and verified them after fixes were done. Business Impact EVRY S Security Team identified several Critical / High business-logic vulnerabilities, the scanning tool had failed to identify and thus helped the project team to make the application secure. This team fixed the identified vulnerabilities and moved the project to production with an improved confidence....evry Team has provided excellent overall value, much better experience than with other Indian companies used by DATAGENIX till date and based upon feedback from other peer companies that have used Indian resources as well. - Mark Oja CEO, Datagenix DE-RISK YOUR APPLICATIONS 5

6 For more information about all our solutions and offerings, get in touch with: or USA Headquarters: EVRY USA Corporation 1425 Greenway Drive, Suite 490 Irving, Texas 75038, USA Phone: / EVRY-USA Fax: India Headquarters: EVRY India Pvt. Ltd. Ground Floor, No. 42, 27th Cross Brigade Software Park 1, Building B Banashankari Stage 2, Bangalore Karnataka, India Phone: Fax: Global Headquarters: EVRY AS Snarøyveien 30A 1360 Fornebu, Norway Tel: / info@evry.com Copyright 2017 by EVRY India. All rights reserved. The contents of this document are protected by copyright law and international treaties. EVRY India acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document. The reproduction or distribution of the document or any portion of it thereof, in any form or by any means without the prior written permission of EVRY India is prohibited.