Description
INTRODUCTION
Most current threats are directed at the application layer, code security analysis is a must for any competitive organization. Application analysis searches software for vulnerabilities like application backdoors or malicious code so they can be fixed before they are discovered and exploited by hackers.
Many code security analysis solutions, however, are inadequate to the task. Some return so many false positives that developers spend more time tracking down non-threats than real problems. Some are prohibitively expensive to purchase, install and update.
METHODOLOGY
To obtain the most comprehensive results and minimize risk, this level of analysis employs automated source code static analysis to identify a preliminary set of vulnerabilities, followed by a full manual analysis of the source code searching for types of vulnerabilities that are not reliably found through automated tools.
This deep-dive process is most appropriate for commercial applications that have the highest security requirements, such as applications that process a large volume or high-value financial transactions. Comprehensive assessments ensure the lowest level of residual risk.
SECURITY CONTROLS
Design
- Architecture and Design documentation is complete
- User and role/access based privileges are documented
- APIs are well partitioned into public and restricted
- Security is layered – each layer assumes other layers may have been compromised
- Security design covers all 8 principles of security: authentication, authorization, confidentiality, message integrity, data integrity, availability, non-repudiation
- Sensitive data has been identified
Authentication and Cookie Management
- User credentials are encrypted in the datastore
- Security policies are configurable (not hardcoded)
- Standard security frameworks are used (instead of custom code)
- SSL is used to protect user credentials and authentication tokens
- Authentication cookies are not persisted
- Authentication cookies are encrypted
- Cookie names and paths are used
- The application handles user management events such as authentication failure, password reset, password change, account lockout, and cancel account
- The application handles suspicious events such as multiple failed login attempts, session replay, and attempted access to restricted resources
- Strong passwords policies are enforced
- Authentication credentials are not passed by HTTP GET
Authorization
- Authentication and authorization should be the first logic executed for each request
- Authorization checks are granular (page and directory level)
- Deny access to pages and data by default
- Re-authenticate for requests that have side-effects
- ACLs are configured for all files
- Authorization based on clearly defined roles
- Authorization works properly and cannot be circumvented by parameter manipulation
- Authorization cannot be bypassed by cookie manipulation
Data Validation
- All external input is validated without exception
- Where possible input is restricted to known good chars
- Data is validated server-side (security should not rely on client-side validations)
- The application validates numerical input and rejects unexpected input
- Application efficiently evaluates input length
- The strong separation between data and commands
- The strong separation between data and client-side scripts
- Data should be checked for special characters before being passed to SQL, LDAP, OS, and third party commands
- HTTP headers are validated for each request (e.g. referrer)
Cryptography
- Sensitive data has been secured in memory, storage and transit
- Restricted areas require SSL
- Sensitive information not passed to/from non-SSL pages
- Proper SSL set up
- SSL provider supports only strong algorithms
- Web based admin tools require SSL
- Decryption services protected by authentication/authorisation
- Require SSL for login page
- Securely store cryptographic keys
Session Management
- No session parameters passed in URLs
- Session cookies expire in a reasonably short time
- Session cookies are encrypted
- Session data is being validated
- Private data in cookies is kept to a minimum
- Application avoids excessive cookie use
- Session id is complex
- Session storage is secure
- Application properly handles invalid session ids
- Session limits such as inactivity timeout are enforced
- Logout invalidates the session
- Session resources are released when session invalidated
Error Exception Handling
- When exceptions occur the application fails securely
- Error messages do not reveal sensitive information
- System errors are never shown to users
- Resources are released and transactions rolled back when there is an error
Loging and Monitoring
- All user / system actions are logged
- Sensitive information is not logged (e.g. passwords)
- Logging for user management events (e.g. password reset)
- Unusual activity such as multiple login attempts are logged
- Logs have enough detail to reconstruct events for audit purposes
- Logging is highly configurable (logging levels)
General Security Misconfiigurations & Business Logic flaws
- Proper configuration of frameworks such as Spring, Struts, .NET etc..
- Libraries are up-to-date
- System calls have their return status checked
- Efficient memory usage
- No exposures to buffer overruns
- Code, services, commands and processes are executed using minimal privileges (least privileges)
- Code has no back doors
- Debugging code and test harnesses have been removed
COUPLING SECURE CODE REVIEW AND PENETRATION TESTING
The coupling of secure code review along with penetration generally (a white box activity) gives positive and unconventional results as knowing the internal code structure gives an added advantage in terms of knowledge which can be used to create test cases and abuse cases.
Using this approach, a productive penetration testing can take place, since testing can be focused on suspected vulnerabilities. For example, a penetration test on an application using a vulnerable framework can concentrate on the weaknesses that exist in those frameworks or libraries.
The results from the white box activity can be used to target other similar areas for code review. For example, if output encoding is not implemented in one module or feature of an application, chances are it is not implemented elsewhere in the application.
If you prioritize security in your business, you need both a secure code review and pen-testing.
Description
Intect is top penetration testing and security assessment firm with a focus on web, mobile apps, network, and cloud testing. As a security partner, we identify and demonstrate the risk and the vulnerabilities which put clients at risk.
Our mission is to help our clients to secure their digital assets. We operate across India and in several other countries for clients who require our specialised skill sets.
Our team includes active security researchers, ethical hackers, bug bounty players & tool developers who are highly credentialed in their field. We work hard to stay at the forefront of cybersecurity industry and that is shown through our research and training.
Our penetration testing assessments are not just for a tick in the checkbox on the list of security requirements. The detailed reports we provide enable you to substantiate the security of your applications and networks to your stake-holders. Intect provides the technical expertise and guidance to find the gaps in your security.
Our consultants have expertise across a range of industries, including BFSI, e-Commerce, telecom, technology, enterprise suites, manufacturing, education and public sector.