Business applications are becoming more complex; the required functionality is increasing as users and partners expect to be able to access information and complete online transactions. Commercial applications are being used in unexpected ways as people push them to keep pace with customer requirements. At the same time, pressure is being put on development staff to promote internally developed applications to production as quickly as possible. How do you secure these applications in the existing threat environment?
DigitalDefence’s application security service, based on a Software Development Lifecycle approach, aligns the technical aspects of application security to client business requirements, ensuring delivery of cost-effective and meaningful solution. Our solution is comprised of the following components:
DigitalDefence starts each application security assessment starts with threat modeling – a collaborative session that includes both business and technical leads. The team will follow a systematic methodology to identify and prioritize threats; remediation and countermeasures will also be identified. Threat modeling enforces a structured approach to assessing complex applications, and its use minimizes costly fixes by identifying the risks as early as possible in the project.
Source code reviews use automated tools combined with manual analysis as a fast and effective way to review an application’s source code for architecture and implementation errors. The review will include:
- A review of the policies and practices around coding standards in use
- Automated analysis to identify bugs and security errors
- Manual analysis application code which handles functions such as authorization and authentication, session management, and data validation
- Identification of unvalidated data vulnerabilities in the code
- Identification of poor coding techniques, especially with regards to specific coding frameworks
Source code reviews have been conducted for programming languages such as C, C++, Java, PHP, J2EE, PERL, ASP, and .NET systems. In addition, controls have also been completed for mobile applications code based on Android, Windows Mobile, iOS, and Blackberry platforms.
DigitalDefence employs a standards-based approach when testing enterprise applications (including both in-house development, third party products, and COTS). Vulnerabilities and compensating controls will be assessed for each application in the areas of:
- Network and application architecture
- Business logic
- Authentication and authorization
- Access control, session and user management
- Data validation
- Files and resources
- Data confidentiality, including cryptography
- Change control and configuration management
- Errors and exceptions
Using commercial, open source, and proprietary tools, DigitalDefence will conduct a series of automated and manual tests to identify application vulnerabilities.
Mobile applications, either developed in-house or by 3rd parties, rely on rapidly developed applications that convey often sensitive data across multiple communications channels. This creates a broad threat environment, placing many organizations at risk.
DigitalDefence’s mobile application security assessment is a standards-based approach that responds to the threat. We rely on industry standards as defined by the Open Web Application Security Project’s Top Ten Mobile Risks and Controls and the Application Security Verification Standard. Our approach delivers coverage across the mobile application environment, from the mobile application (client-side code, third party libraries) to the back-end services, and includes the ability of a remote application to resist local exploitation as well as remote attacks originating from the Internet, carrier networks, and wireless connections.
We provide security for the Android, Windows Mobile, iOS, and Blackberry platforms.
A secure development program formalizes an organization’s commitment to developing and releasing secure applications. DigitalDefence can help you to put your program into place by assessing the following:
- Policies and practices
- Integrated secure software development life cycle into project management program
- Developer training in secure development
- For organizations that rely in whole or in part on third-party software development, software development supply chain management
Lowers costs and security risks by addressing potential vulnerabilities earlier in the software development lifecycle
Prevents application downtime, improves productivity
Use of a standards-based assessment methodology helps to achieve and maintain compliance with government and industry regulations
Improves user confidence in applications and data security
Assure key clients, auditors, and management as to your organization’s commitment to security