Application security assessments

Connect with us

Applications are found in nearly every part of daily life, making them a prime target for cyber criminals. Vulnerabilities in application code and design flaws in content-rich, service-heavy web and mobile applications can be targeted to penetrate critical systems and steal sensitive information. To stay ahead of these threats, application security assessments must become a natural part of the software development lifecycle.

Identifying weaknesses in your proprietary and third-party applications

Automated application security testing tools like DAST or SAST have their place in the software development lifecycle but may only find up to 14% of an application’s vulnerabilities. By augmenting results from automated tools with targeted, expert manual analysis of your application, we’re able to more accurately diagnose the susceptibility of threats and provide repeatable, measurable, transparent, and actionable results.

Through the evaluation of hundreds of technology stacks for government agencies, Fortune 500 companies, and cloud service providers, we’ve developed a comprehensive methodology to analyzing solutions and built standard frameworks and completely custom implementations.

Our application security assessment methodology

  • Targeted reconnaissance: Build the application profile (e.g., features, technology stack, attack surface).
  • Baseline vulnerability enumeration: Review and test to cover risks inherent to your application’s technology, implementation, and common features.
  • Targeted vulnerability exploitation: Review and test to cover risks unique to your application’s architecture, functional security, and unique features.
  • Ongoing sprint testing: Create an optional assessment schedule that integrates with your development lifecycle to catch vulnerabilities in new features and functionality before they’re deployed to production.

Our approach

Web applications, web services, standalone APIs, thick clients, and supporting systems

  • Simulate a malicious attack to determine the feasibility and impact of a potential attack.
  • Evaluate your application for cross-site scripting, authentication and access control flaws, improper data disclosure, insecure HTTP, and other common risk areas.
  • Understand what created the identified risks in your application, so you can fix them in other applications and processes.

Source code review

  • Evaluate code quality and implementation from functional and security perspectives.
  • Manually verify findings and provide context as necessary.
  • Develop proof-of-concept code to show impact of vulnerabilities.

Mobile apps (iOS, Android, Windows Phone)

  • Address the security challenges associated with having web services, embedded browsers, native code components, and third-party services in a single application.
  • Analyze application data storage routines (passwords, usernames, personally identifiable information, and other sensitive data).
  • Evaluate the usage of platform protections.
  • Identify permission boundary checking and analysis.
  • Perform high-level device forensics, including the security of network communications, data transmissions, and device-specific configurations and backup mechanisms.

Why choose Coalfire for your application security assessment?

  • Our approach goes beyond automated tools and processes to include manual reviews, adversarial analyses, and tailored manual techniques to fully explore identified vulnerabilities.
  • Our security consultants are trained and experienced developers with in-depth knowledge of the software development lifecycle and secure coding strategies.
  • We follow industry best-practice testing guidelines, such as the Open Web Application Security Project (OWASP), to identify configuration flaws, session management issues, application authentication mechanisms, business and application logic assumptions, and input validation issues.
  • Our assessments provide valuable and actionable insights into discovered vulnerabilities, projected business impact, and remediation steps.

Which applications pose the most security risk to your organization?

Through our risk ranking and assessment planning services, we can help you identify which applications deserve your attention and how to assess their security.

Contact Us

More from adversary ops