Application Security
commissum's application assurance services offer advice on best practice in application assurance and security testing.
- CREST assured application security testing.
- Comprehensive application security assurance service throughout the software development life cycle (SDLC).
- Objective, independent and pragmatic security advice.
Application Test Issues
Software applications are the reason for using complex computer systems. They are the means of harnessing the power of the hardware, to provide value through functionality. Applications are the access points to your information assets.
Unfortunately, owing to their complexity and the inevitable business pressures during development, applications are more often than not the weak points in an organisation's security. Organisations are understandably focused on ensuring that business functional requirements are delivered by the development teams; time-to-market can be critical for application development. In this environment, it is all too easy to overlook critical flaws in design, code implementation, or underlying vulnerabilities in the commercial components that are an integral part of the application or the environment in which it operates.
Attackers are only too aware of the potential weakness in applications, and application level attacks are still one of the major sources of unauthorised access to, or misuse of, systems today. By their very nature, they bypass traditional defences, and are extremely difficult to detect.
There is therefore always a delicate balance to be struck between functional requirements, business needs, and security risk. commissum is able to provide comprehensive application security assurance services, that include design assurance consultancy throughout the development lifecycle, development audit, critical phase review, code review, and specialist security application testing.
Approach
Ideally, a client will engage the services of commissum's security assurance specialists at the earliest phases of a project. It is significantly more cost-effective to design with best-practice security in mind from the start. However, the knowledge and skills of the commissum team can be applied at all stages, particularly as independent security testers as part of system proving.
The approach taken to any assignment can be either "Black Box" (limited prior knowledge) or "White Box" (full application knowledge), although ideally a combination of both approaches is used for greatest effect.
Depending on the agreed scope, the following elements may be included in testing:
- Test functions exposed to users or other applications.
- Monitor network traffic for transmission of information of benefit to an attacker.
- Test for a wide range of typical vulnerabilities including the OWASP top ten.
- Test for resilience to inappropriate data input.
- Review systems software for known security flaws and common coding errors.
- Check infrastructure implementation for secure operation.
- Test that application not prone to "fail open".
- Check the protection of sensitive information and administrative functions.
- Code review through use of automated tools or manual checking or a combination of both.
- Code assisted testing.
Application test customer benefits
commissum provides:
- A concentrated pool of security-focused resource to advise on best practice security implementation.
- Objective, independent, current security knowledge of a wide range of commercial software and applications.
- Comprehensive testing of bespoke applications by drawing on concentrated security knowledge to devise tailored threat scenarios: thinking like an attacker is different from thinking like a user.
- Advice on best practice measures and corrective action required to improve security deployment and integrity.
- Independent expert assurance that applications and processes are able to resist a range of attacks.
- Confidence that the system will not make headlines as a hacker's, criminal's or terrorist's latest victim.
commissum is able to recommend hardened configurations for system components that enable required functionality, while disabling unneeded features and improving integrity and resistance to attack.
commissum application security PDF Get in touch with one of our security consultants today
- No obligation
- Expert advice
- Tailored solutions
"commissum provided us with a high quality service. We found the project team helpful and flexible in responding to changes in requirement; the technical staff in particular were excellent. All commitments including deliverable timescales were met and I would have no hesitation in recommending commissum.”
Mr A Moretti, Executive Director for IT Security Risk Management, Global Investment Bank
Latest News
Alleged Chinese Government Hacking Department back in action
Allegedly the Chinese state sponsored cyber division named as Unit 61398 are back in action after a lull in their activities. This group that allegedly specialises in governmental and industrial espionage was very active and successful up until February this year. The targets of Unit 61398, also known as APT1, have ...Tue 21 May, 2013 //
Leading USA military contractor QinetiQ hacked and ransacked by Chinese hackers for three years
A new report from Bloomberg, the business information provider (www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html) outlines how hackers from China stealthily infiltrated the computer systems of QinetiQ North America, a leading espionage and military contractor to the US government, and the US branch of the British defence technology company QinetiQ. A vast range of highly ...Wed 08 May, 2013 //
Suspected hacker arrested after “biggest-ever DDoS attack”
Police in Spain have arrested a Dutch national on suspicion of launching the largest-ever “Distributed Denial of Service” (DDoS) attack. Sven Olaf Kamphuis, 35, was arrested on April 25th near Barcelona, Spain. At the time, he was in possession of a specially-equipped van set up as a mobile computing and ...Tue 30 Apr, 2013 //
