Symosis application security assessments address today’s complex web applications, web services, and desktop products to identify exploitable, inherent, and potential security threats that place your business at risk. Web enabled services are a serious challenge to security and are the largest external attack surface of critical assets. The exploitation by a hacker or malicious third party can result in the loss of confidential data, financial loss, and extensive damage to the organization's reputation and image. Our testing methodologies are comprised of in-depth expert manual analysis as well as broad coverage using automated tools. The reviews are performed from the perspective of an unauthenticated, uninformed adversary known as a “Backbox” approach, and expand to include “Whitebox” reviews performed hand-in-hand with your developers and can extend to cover security reviews of your source code. The approach is defined, as your risk needs dictate and the complexity of your application demands.
Application Penetration Testing
Symosis Application Penetration Testing begins with understanding your expected use cases and creating detailed test plans. The application is manually crawled to ensure all functions are fully defined and the calls are captured so that the behavior can be analyzed. Authentication and Authorization is reviewed to determine the extent of how your application behaves when a request fails, failing open is often the biggest flaw that is missed in traditional quality testing. The Penetration Testing includes examining data validation, session management, error handling, application logic and dataflow to determines if calls within the application to secondary and support functions can be ‘spoofed’ and exploited. All of the engagements include cooperative discussions on implementing resolutions to your security exposures as well as regression testing to ensure your application is secure.
Key Benefits
• Comprehensive in depth analysis provides security assurance and reduces exposure
• Thorough report with executive summary discusses business risks and technical findings
• Remediation plan and regression testing ensures vulnerabilities are fixed
Security Threat Modeling
Security Threat Modeling can take place before development, or at the point in time application penetration testing begins. The process includes assessing and documenting security risks in the context of use cases, services, roles and functions unique to your application. The threat modeling is performed in collaboration with your business, engineering, operations and corporate security teams to understand and create the system’s security objectives, threat profile, attacks, vulnerabilities and countermeasures from design to deployment. Symosis uses techniques such as entry point identification, privilege boundaries and threat trees to assess security of information during entry, transmission and storage and also explores related areas related to data validation, authentication, authorization, session management, error handling and cryptography.
Key Benefits
• Understand application uses cases, workflows, dependencies and security priorities
• Translate technical risk to business impact. Create a security strategy
• Improve security awareness
Secure Code Review
Security code review provides insight into the “real risk” associated with insecure code. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. Symosis combines automated and manual code analysis techniques in a multi- step process of familiarization, prioritization and analysis to understand the context and make relevant risk estimate that accounts for both the likelihood of attack and the business impact of a breach.
Key Benefits
• Finds code level security bugs like backdoors, master keys, memory leaks and buffer overflows not found during black or gray box testing
• Increases level of security assurance using inside out assessment
Product Security Assessment
Taking a proven approach to evaluating the security of desktop products Symosis works with your organization to develop a detailed testing plan that can include a design review, architecture review, code review, and penetration testing of the product. The full complement of services focuses on identifying weakness in data flow and data storage. Symosis Product Assessment results can be shared with your customers as a white paper, or as an internally focused report to enable your development team to further secure current products or as a roadmap of future products.
Key Benefits
• Ensures all parts of the product including clients, servers, storage and data in transit are secure
• Evaluates custom protocols and encryption standards
• Creates security roadmap or whitepaper that can be shared with internal teams and external customers