Source Code Audit Service
Security Brigade Logo
Services | Products | Compliance | Training | Home | Clients | Contact Us
Menu
Services
Products
Training
Compliance
Whitepapers
Case-Studies
News
Media
Contact Us

Clients / Partners

Search
Source Code Audit Service               Request a Call Request a Brochure

Overview

Security Brigade's Application Security Assessment provides a review of your custom applications to determine security weaknesses.

You benefit from:

  • Increased company-wide awareness of the importance of best security practices.
  • Immediate definition of the security issues in your Applications.
  • Clearly outlined responsibilities to protect the confidentiality, integrity and availability of company assets and resources.
  • Reduced risk of intentional or accidental information and IT asset misuse by your employees.
  • Vital tool in ensuring the integrity and security of business systems.
  • Benefit from our proprietary methods and processes.
  • Increases awareness of external threats and makes it possible to take steps to secure the perimeter from unauthorised users taking advantage of flaws in programming which could enable them to access the application and use it maliciously
  • Industry-leading expertise, support and guidance from SB' security research and development team.
  • Compliance with federal and state regulations that require security awareness training.
  • Low-cost option for training all employees on your corporate security policies.
  • Acquire and maintain certifications to industry regulations (BS7799, HIPAA, OSSTMM, OWASP).

Features

Security Brigade's security experts will thoroughly assess your applications, from both a technical and non-technical perspective, to determine security weaknesses. The result is a detailed report of findings and specific recommendations for remediating any vulnerability found.

Key Features

  • Thorough assessment of application vulnerabilities that may jeopardize critical or sensitive data.
  • Assesses application vulnerabilities that may jeopardize the confidentiality, integrity and availability of critical or sensitive data.
  • Functional review of the application from both a client and server perspective.
  • Comprehensive vulnerability assessment of the application and network infrastructure directly supporting the application.
  • Determines security weaknesses and misconfigurations through comprehensive vulnerability assessment of the application and network infrastructure directly supporting the application.
  • Testing performed by SB security experts who have a background in application development.
  • Targeted, cost-effective source code review to pinpoint areas in the code that can be improved for greater security.
  • Detailed report providing recommendations for mitigating discovered risks.

 

Benefits

Security Brigade's application testing helps safeguard your organisation against failure, through:

  • Provides secure extension of business applications.
  • Identifies application security issues before they are exploited.
  • Increases real-world perspective into hacker techniques and motivations.
  • Identifies specific risks to the organisation and provides detailed recommendations to mitigate them.
  • Assists in increase of customer confidence and trust on the application.
  • Prevents application downtime and improves productivity.
  • Reduces the cost of recovery and fixes due to loss of information.
  • Prevents loss of customer’s confidential information.
  • Helps to achieve and maintain compliance with federal and state regulations.
  • Overcoming legal hassles due to failure of the application security.
  • Delivers timely and valuable application vulnerability information to assist in developing proactive protection measures.

Technical Information

In recent years, the popularity of Web Applications has grown dramatically, with many organisations converting legacy mainframe and database systems into dynamic web applications. Technologies such as Php, Ajax, JavaScript, JSP, Java, ASP, ASP.NET, Cold Fusion, Perl, Flash and Ruby allow a company to quickly develop client-server applications that can be accessed over the internet and/or intranet.

With the growth of web enabled applications, attacks have become more sophisticated. Security Brigade’s application security service keeps your application ahead of the curve through constant innovation and evolution. A rapid growth in discovered vulnerabilities in applications allows the HTTP protocol to become an attacker’s easiest path into a network.

In-house and commercially developed applications often put speedy development and convenience over security, which results in vulnerabilities such as Authentication bypass, SQL Injection, Cross site scripting etc. Applications are also a preferred target for attackers, as they almost always allow access into an internal network through the firewall.

Our application security audit will provide a report on the effectiveness of the security controls that are put in place in your applications. Our report will also provide remediation advice for those items discovered along with a detailed explanation. Once the vulnerabilities are fixed, a follow-up test will be carried out to ensure that all the vulnerabilities originally found are fixed.

Compliance

Security Brigade's Application Testing service can meet the requirements of many standards and guidelines in relation to information security. Our Application Testing team has working knowledge of the following standards and attempt to exceedingly meet thier requirements.

  • PCI
    The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.

  • OWASP
    The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.

  • ISACA
    ISACA was established in 1967 and has become a pace-setting global organisation for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.

  • CHECK
    The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.

  • OSSTMM
    The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.

  • BS7799
    BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and after several revisions, was eventually adopted by ISO as ISO/IEC 17799. ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007. The BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2, which later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005. BS7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.

  • HIPPA
    The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. Administrative Simplification (AS) provisions of HIPPA, require the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.

Copyright 2006 Security Brigade