Application Penetration Assessment

View Datasheet  

 

Why let hackers discover your applications' vulnerabilities? Let Foundstone find them and fix them first. Foundstone can save your company’s reputation and prevent revenue losses.

The National Institute of Standards and Technology estimates up to 92 percent of today’s vulnerabilities are at the application layer. Almost every major application in use today has had at least one critical vulnerability broadcast, resulting in loss of sales as well as loss of reputation and customer trust. Foundstone Application Penetration Testing service looks at an application from the perspective of a malicious hacker and finds the holes before they can be disclosed publicly and exploited.

• We find holes in applications before the hackers do.
• We perform security quality assurance before applications are released.
• We understand your risk and the potential impact to your business and products.
• We do manual testing for accuracy and effectiveness.
• We offer active knowledge transfer of testing techniques, issues, and remediation to our customers.

The testing begins with static reviews of the binary executables and libraries that make up the application. Server level scans search for known vulnerabilities and common misconfigurations. Our application penetration assessment consultants then perform an application discovery process to gather information about the application and search for information disclosure vulnerabilities that reveal secrets such as passwords, cryptographic keys, or customer information. With this data in hand, Foundstone conducts the bulk of the testing, which consists of:

• Configuration management testing, including unearthing the presence of sensitive information in configuration files or environment information that can be tampered with to alter application behavior as well as secrets and textual strings in the application binaries themselves or in memory.
• Data protection in storage and transit when sensitive information is communicated across the network or stored on disk or in a database.
• Authentication and authorization testing to determine opportunities for authentication bypass and privilege escalation.
• Session and state management checks for session hijacking and other such attacks.
• Data validation testing detecting problems such as SQL injection and buffer overflows.
• Error handling and exception management testing that attempt to crash the application into an insecure state or to test for information disclosure through crash dump files.
• Auditing and logging checks that attempt to subvert audit trails, create fake log entries, and discover sensitive information from the log files or use the logging mechanism as an attack vector.

During all of the testing, the main goal is to compromise the application's servers and/or remote agents/clients. Additionally, Foundstone searches for application vulnerabilities that would allow an attacker to gain access to the underlying operating system or the backend database servers.

Contact us to learn how our security services can help you protect your most important assets today.

RFP Template

Foundstone has developed this Request for Proposal("RFP") template to help organizations identify and select a quality security vendor to perform professional services work.

> Download

home | services | company | education | resources | contact | privacy policy | site map | McAfee.com