RiskSense Attack Surface Validation for Web Applications

Transcription

1 RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc.

2 Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment for our promotional web applications. By the time we executed a statement of work, and saw results with our past vendor, we were already onto the next campaign, a large fast food restaurant. Digital changes and the velocity in which they occur are a real concern especially with business risk exposure. Traditional penetration testing isn t providing the necessary speed to uncover or prioritize the vulnerabilities across a continually changing web application attack surface. Do you have the expertise to uncover the most likely attack scenarios, reflecting both infrastructure and code-level, for the variety of digital web initiatives currently in development? Vulnerabilities within the infrastructure and applications most used in web development have high vulnerability severity rankings reflecting the potential business damage they can cause. Our customers couldn t document that their web-based applications had acceptable risk levels. With RiskSense they accelerated their assessment timeline, from engagement start to finish, and were able to take immediate actions as critical vulnerabilities were encountered. They kept their fast-paced operations and elevated their cyber risk posture with the due diligence that the RiskSense Web Application Attack Surface Validation assessments provided them. The RiskSense Attack Surface Validation for Web Applications provides a comprehensive and valuable security posture assessment that keeps pace with your business needs. RiskSense delivers fast insights, prioritizing actions with clear paths for remediation. The proliferation of web sites and applications that support long-term business, cyclical promotional efforts, and enhanced customer experience are growing vectors for infiltration and exploitation. Our service is specifically structured to give organizations the coverage and timely discovery of exposure with ease of access to findings that supports a new way of managing risk for digital business. RiskSense delivers an in-depth understanding of how an attack can change data inside the application. Using a proprietary framework to discover multiple attack vectors, testing includes passing or data inputs to user, network, and application programmable interfaces (API). Our security analysts uncover areas in the web application infrastructure and code that are critical for the security and protection of your business. Our Attack Surface Validation for Web Applications is a service that allows business to confidently progress their digital strategy and execute as fast as they need without hesitating that their vulnerability testing vendor cannot keep up, as traditional reports can take up to 90 days to deliver. We have made the process to engage with our experts easy and we deliver faster value to our customers from their first evaluation to the many more they subscribe with our services. The RiskSense Attack Surface Validation for Web Applications service provides clients with: Identification of vulnerabilities and the various paths that could be used by adversaries to infiltrate and exploit the web application Threat intelligence mining to elevate the most likely attack scenarios Penetration testing to verify vulnerabilities and eliminate false-positives, automated testing and manual expert-driven investigations Immediate access to the vulnerability findings and full evaluation as they become available through the RiskSense platform, including all automated scanning and manual finding details as well as technical configuration information Recommendations for the remediation of the identified security gaps and vulnerabilities Executive level reports that provide an overall exposure health score, very much like a credit score, that they can use to benchmark improvements over multiple engagements Page 1

3 Methodology RiskSense performs attack surface validation for web applications for organizations ranging in size from small businesses to Fortune 500 corporations. The RiskSense attack surface validation methodology is continuously updated to align with the latest industry and attack trends. Our methodology is comprised is five distinct phases. 1 Passive Reconnaissance Darkweb Mining Environment Scoping 2 4 IP Addresses Mapping Web Services Enumeration 5 3 Infiltration Vector Lateral Kill Chain Vulnerability Prioritization Remediation Playbooks Cyber Risk Quantification Penetration Testing Attack Surface Enumeration Software Attack Surface Data Aggregation Threat Correlation Exploit Documentation Web Application User Interfaces Access Controls URL Crawling/Spidering Business Logic Identification Identification of Input Vectors and Reflection Network Attack Surface Target IP Address Operating System Versions Ports, Protocols, Services Reporting Automated Scanning OS Fingerprinting Port and Services Fingerprinting Vulnerability Identification Exploit Development Vulnerability Exploitation Attack Vectors Code Execution Data Injection and Manipulation Data Exfiltration Missing Patches Misconfigurations Coding Errors OWASP Top 10 CWE/SANS Top 25 Most Dangerous Software Errors Phase 1: Passive Reconnaissance: Obtain a comprehensive fingerprint of the client s test systems through passive reconnaissance. Reconnaissance is used to identify the intelligence attackers can collect through passive means, without triggering alerts on organization security devices. Phase 2: Attack Surface Enumeration: Enumerate the sum of an organization s security risk exposure within the defined scope. Phase 3: Automated Scanning: Use leading web application vulnerability scanners to test for critical vulnerabilities. Phase 5: Reporting: Collect all evidence in the form of screenshots, requests, responses, and commands issued during all phases of the assessment. The reports detail the exploited vulnerabilities, their severity and recommendations for remediation. In addition to scanning the web applications, RiskSense gathers information from search engines, security portals, hacking forums, data dumps, and dark web disclosure sites in order to determine if a client s application data has been exploited. Information gathered will be examined for evidence of active threats, including weakness disclosures and data exfiltration. Phase 4: Penetration Testing: Gain unauthorized access to portions of the web applications from the perspective of both a trusted user and an adversary. Page 2

4 Automated Scanning and Testing A Clinical Analysis SOLUTION BRIEF FOR RISKSENSE SERVICES The automated testing process is routinely run in an iterative fashion, and each iteration expands upon previously discovered issues. This step is used to determine a baseline and helps the analysts locate potential threat vectors that may require additional manual testing. Data Injection and Manipulation Reflected Cross-Site Scripting (XSS), Persistent XSS, Cross-Site Forgery SQL Injection, Blind SQL Injection, Buffer Overflows, Integer Overflows Log Injection, Remote File Include Injection, Server Side Include Injection, Operating System Include Injection Local File Include Customer Fuzzing Path Manipulation-Traversal and Truncation Sessions and Authentication Server and General HTTP Server Misconfigurations Directory Indexing and Enumeration Denial of Service HTTP Response Splitting Windows 8.3 Filename DOS Device Handle Denial of Service Canonicalization Attacks, URL Redirection Attacks AJAX, WebDAV, Web Services Auditing File Enumeration, Information Disclosure, Directory and Path Traversal Spam Gateway Detection Dangerous HTTP Detection Session and Authentication Strength, and Session Expiration Insufficient Authentication and Brute-Force Authentication Attacks Support for CAPTCHA and Two-factor Auth Validation Secure Sockets Layer (SSL) Certificate Issues SSL Protocols Supported, SSL Ciphers Supported Password Autocomplete Cookie Security Penetration Testing RiskSense goes beyond just using automated scanning tools to ensure all assessments have coverage in areas where automated testing is not sufficient. Overcoming the limitations of the automated tools Risk Sense security analysts leverage their expertise to test the security standards in every aspect of a web application: Business Logic Testing Analyzing the existing business logic of a web application and finding the security flaws within the control flow of the data and transactions. Data flow of hidden variables is analyzed and manipulated to validate any found security flaws and the impact to business logic requirements. Privilege Escalation (Grey Box Testing) Target web applications are tested by our analysts logging in using a least privileged user account. They attempt to escalate their user access level by identifying insecure direct object references and gain access to data items that are restricted. This also tests the session controls and exposure to session hijacking. API Endpoint Testing The RiskSense security analysts test for existing and emerging technologies that are capable of querying web service-related data directly from back-end data sources. They test for vulnerabilities in using Asynchronous Java Script and XML (AJAX) and the different APIs communication with the target web application. Page 3

5 Modernizing Results Delivery Enhancing Value A Clinical Analysis RiskSense Attack Surface Validation for Web Applications leverages the RiskSense Platform as a key component of the service and value we provide to customers. Results from the Passive Reconassaince, Attack Surface Enumeration, and Automated Scanning stages are delivered through the RiskSense Platform, customers see the progression and depth of coverage this service provides. Findings and associated data are passed into the platform, quickly identifying all of the relevant vulnerabilities with risk ranking and remediation recommendations. Our clients receive their Web Application Security Posture Report through the platform allowing them to produce.pdf reports on demand but also drill down on specific focus areas adding in host business criticality to the elements identified in the assessment findings. Web Application Security Posture Reports The Web Application Security Posture Reports providesan organization with an overview of web application elements and functional components regarding their vulnerabilities. An Executive Summary and Developer Report are available. These reports include: An executive summary with a high-level view of security standards being followed by the organization. A graphical representation of consolidated threats, Open Application Security Project (OWASP) Top 10 vulnerabilities in all applications, and the top most vulnerable applications. An overview of the evaluation based on the consultants findings and interviews with personnel, as well as scanning data and technical configuration information provides to RiskSense. This section will also include penetration testing summary, vulnerable variables, URLs, and the threat count for all URLs in each web application. Page 4

6 About RiskSense RiskSense, Inc. provides vulnerability prioritization and management to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. The RiskSense Platform embodies the expertise and intimate knowledge gained from real world experience in defending critical networks from the world s most dangerous cyber adversaries. As part of a team that collaborated with the U.S. Department of Defense and U.S. Intelligence Community, RiskSense founders developed Computational Analysis of Cyber Terrorism against the U.S. (CACTUS), Support Vectors Intrusion Detection, Behavior Risk Analysis of Vicious Executables (BRAVE), and the Strike Team Program. RiskSense Platform the industry s most comprehensive, risk-based vulnerability prioritization and management platform. Contact us today to learn more about risksense RiskSense, Inc RISK www@risksense.com CONTACT US SCHEDULE A DEMO READ OUR BLOG SB_RSASVWebApps_