Application Penetration Testing

TBG follows a combination of NIST 800-115 and OWASP Web Application Testing methodologies to fully audit the entire security posture of an application. When testing, applications engineers attempt to subvert the security controls used by the applications. Engineers are focused on identifying vulnerabilities threatening the confidentiality, integrity, and availability of sensitive information.

When performing an application penetration test, we look at the four possible attack vectors that a hacker would be targeting.

• Attacks against the client
• Attacks against the Network
• Attacks against the server(s)
• Attacks against the backend data storage

Detailed tasks include:

• Information Gathering – Collecting open source intelligence about the application from search engines and other public data repositories.
• Configuration and Deployment Management – Testing the configuration and deployment of an application provides insight into attack vectors that could possible allow exploitation.
• Identity Management – Testing the registration process, role definitions, provisioning process, and account policies.
• Authentication – Testing looks for known usernames, weak credentials, and lockout policies.
• Authorization – Testing for direct object reference, directory traversal, and privilege escalation
• Session Management – Testing for proper handling of cookies, sessions, and cross site request forgery attacks.
• Input Validation – Testing for proper input validation ensures SQL injection and XSS attacks are mitigated.
• Error Handling – Testing for proper error handling and generic error messages insures application do not mistakenly disclose information.
• Cryptography – Testing cryptography checks for secure cryptographic algorithms being used for password hashing and transport protocols.
• Business Logic – Testing for business logic ensures that proper controls are in place the prevent users from bypassing an applications flow.
• Client Side – Testing for client-side attacks involve validating information sent from a client is properly validated server side.

DELIVERABLES:

At the conclusion of the application penetration test, TBG Security will produce a findings and recommendations report containing:

An executive summary including;

• The scope of the engagement
• An overview of our activities
• A high-level, categorical, risk-based breakdown of findings
• A high-level plan for remediation

Detailed findings

• A risk-based list of addressable issues detailing the application component, exploit description, risk to the environment, sophistication of the attack, impact of the finding, evidence and detailed remediation recommendations.

In addition to the above report we will also produce;

• A high-level project plan including;
• Activities, cost rating, level of effort, benefits to the organization, complexity, sales impact if applicable and whether the project includes people, process or technology.