softScheck identifies Vulnerabilities in your Webapp
Due to their public accessibility and usage of sensitive data (for example, customer data in online shops) web applications are a popular target for attackers. The resulting consequences are loss of data and damage to its image which is noticeable by a loss of confidence. Their complexity and connection to other systems such as databases increases the risk of a successful attack decisively.
The Web applications referred to by the client and the software implemented incl. Patch level, configuration and logic to be subjected to a security testing with the two methods penetration testing and fuzzing to already known and in particular previously unrecognized vulnerabilities (zero-day vulnerabilities) to identify. It targeted attacks from an attacker’s point of view are performed by the BSI Guide to penetration testing and after the OWASP Testing Guide.
Among other things, checks on:
- Information Leakage: Is it possible to get an attacker to sensitive data like system configurations, user data, or even corporate data without prior authorization.
- Authentication Mechanism: Is it possible for an attacker registration surfaces e.g. To work with bypass attacks and to obtain permissions in the Web application.
- Input Validation: Is it possible for an attacker to conduct attacks such as cross-site scripting or SQL injection due to lack of verification of the input data.
To achieve the desired level of security, approach and objectives are agreed upon in advance with the client. inter alia done this the identification of the test steps, the definition of emergency measures and the establishment of safety-critical systems, e.g. are excluded from the study.
Identified vulnerabilities are rated and describes a recommended action. These form the basis for further actions by the client.
softScheck has security testing experience from numerous projects with the identification of previously non-identified vulnerabilities. In these projects, especially security tools such as firewalls, etc., safety-critical infrastructure, web applications, mobile applications and local applications and hardware including firmware were tested based on the ISO 27034th. For use in addition to the best tools (Nessus, OpenVAS, OWASP ZAP, Metasploit, Burp Suite Professional, etc) of the 300 available fuzzer and Vulnerability Scanner are also own tool developments and fuzzing Data (Attack strings).
About the penetration testing and fuzzing out softScheck recommends the use of another security testing methods.
Because not only the choice of the most effective methods to identify security vulnerabilities, but also the optimal time in the software life cycle in which this method is applied, determines the success and profitability. To avoid the ad hoc implementation of security activities, a strategy is needed.
A general approach to the management of software security provides the 2011 by the International Standards Organization (ISO) adopted the ISO 27034. This standard “Application Security” provides therefor a vendor- and technology-neutral basis; it defines concepts, frameworks and processes that help companies to integrate application security in their development cycle.
The aim of the standard is to apply already from the beginning of the development of security measures, such as a methodical analysis of the design with the aim to develop a safe design. In the ISO 27034 the following five methods to identify known and unknown vulnerabilities in particular (see Figure: ISO-27034-compliant security testing process) recommended in order to achieve an adequate level of safety:
- SQUARE – Security QUAlity Requirements Engineering: The aim of this method is to provide precise safety requirements for the subsequent design phase. Meets all the requirements, the security in question are identified, defined and existing validated. The result is complete (usable for the specifications) safety requirements.
- Security by Design: Threat Modeling is a method to systematically examine an architecture to safety out. This method is used in both the software and hardware development, as well as for the testing of safety-critical IT infrastructure and networks. The result is a vulnerabilities-free architecture (Security Architecture)
- Code Review: Static Source Code Analysis – Semi-automated scanning of the source code for security vulnerabilities for identifying race conditions, deadlocks, and memory pointer injury. The aim is to mitigate already during the implementation vulnerabilities and fix.
- Dynamic Analysis: Fuzzing is a dynamic safety testing (maturity test), when manipulated and did not allow input data (Fuzzdaten, Attack strings) to a system / application is sent to cause abnormalities. Guided induce anomalies are reproduced in the next step and analyzed to identify the target unknown or non-published vulnerabilities (zero-day vulnerabilities).
- Simulated Attacks: Penetration Testing is a dynamic safety testing (maturity test), are simulated in the known attacks on a system to compromise this. Penetration Testing is usually used when the product is implemented in a runtime environment, so that the live configuration is checked. The aim is to increase known vulnerabilities to identify and therefore to assess the level of safety and to implement mitigation.
A risk analysis communicates the resulting risks to the management, so that it can provide resources to the vulnerabilities – always in line with the economy – to fix and thus to produce safe products.
Only with the use of systematic security testing methods for identifying safe-ness gaps ensures that the state of the (security) is accomplished technique.