Automated application security testing tools like DAST or SAST have their place in the software development lifecycle but may only find up to 14% of an application’s vulnerabilities. By augmenting results from automated tools with targeted, expert manual analysis of your application, we’re able to more accurately diagnose the susceptibility of threats and provide repeatable, measurable, transparent, and actionable results.
Through the evaluation of hundreds of technology stacks for government agencies, Fortune 500 companies, and cloud service providers, we’ve developed a comprehensive methodology to analyzing solutions and built standard frameworks and completely custom implementations.
Our application security assessment methodology
- Targeted reconnaissance: Build the application profile (e.g., features, technology stack, attack surface).
- Baseline vulnerability enumeration: Review and test to cover risks inherent to your application’s technology, implementation, and common features.
- Targeted vulnerability exploitation: Review and test to cover risks unique to your application’s architecture, functional security, and unique features.
- Ongoing sprint testing: Create an optional assessment schedule that integrates with your development lifecycle to catch vulnerabilities in new features and functionality before they’re deployed to production.
Web applications, web services, standalone APIs, thick clients, and supporting systems
- Simulate a malicious attack to determine the feasibility and impact of a potential attack.
- Evaluate your application for cross-site scripting, authentication and access control flaws, improper data disclosure, insecure HTTP, and other common risk areas.
- Understand what created the identified risks in your application, so you can fix them in other applications and processes.
Source code review
- Evaluate code quality and implementation from functional and security perspectives.
- Manually verify findings and provide context as necessary.
- Develop proof-of-concept code to show impact of vulnerabilities.
Mobile apps (iOS, Android, Windows Phone)
- Address the security challenges associated with having web services, embedded browsers, native code components, and third-party services in a single application.
- Analyze application data storage routines (passwords, usernames, personally identifiable information, and other sensitive data).
- Evaluate the usage of platform protections.
- Identify permission boundary checking and analysis.
- Perform high-level device forensics, including the security of network communications, data transmissions, and device-specific configurations and backup mechanisms.