Application Testing
Web Application Security
7Safe specialise in web application security, finding weaknesses by undertaking application security testing. The field has become complex and our people believe that applications present the greatest risks to organisations as a whole.
The techniques, tools and methodology used by 7Safe’s penetration testing and web application testing team are constantly updated to ensure that applications are assessed both for the conventional (SQL Injection, Cross Site Scripting and other OWASP “Top Ten” as well as the latest cutting edge security vulnerabilities. Web application testing tends to therefore do away with tools and instead focus on years of experience in web application security often using nothing more than a browser and strong intuition.
Web Application Security Experience
Over the years 7safe has built up significant experience in a variety of application testing scenarios including:
- Online Banking
- Gambling & Gaming
- HR & Payroll systems
- Customer Relationship Management
- Content Management Systems
- Social Networking Sites
- Overall Web 2.0 applications & content
- Binary Applications
Application Testing: Technologies
7Safe’s team has assessed applications written in many different technologies. The applications are assessed and tested against conventional security issues such as;
- Cross-Site Scripting,
- SQL Injection,
- Cross-Site Request Forgery,
- File Include,
- Direct Object Reference etc.
… as well as business logic bypass issues to assess any risk to unauthorised access to information (i.e. rather than testing from the front door, what can be seen laterally within an application with genuine but possibly stolen credentials?).
Application Testing: Importance of Careful Scoping
Prior to testing applications, 7Safe consultants spend time in understanding the application’s functionality in depth to identify different features offered by the application such as;
- Functionality,
- Roles,
- User privileges,
- Nature of information processed by the application etc.
Identifying all such aspects of the application during the web application testing process helps 7Safe’s penetration testing and application testing team to;
- assess associating risks linked to the application &
- what level of access would be required to identify attack vectors which could result in such risks.
This information is then submitted to our client and the relevant levels of access obtained for carrying out the application security testing.
Clarity of Application Testing Reports
The results of penetration testing are then documented in the form of a full technical report. Each issue identified within the application test is then explained with all technical details along with steps/guidelines on how this issue can be recreated by our client. Along with each issue identified during the web application security testing process 7Safe’s team provides recommendations on how an issue can be properly addressed.
The report also has an ‘executive summary’ section containing information for management. We also present an overview of the overall level of web application security and our major concerns (along with the steps which should be taken to further improve security).
7safe prides itself in undertaking constant research to identify new/emerging threats within the areas of web application security and our team members are subsequently invited to speak at leading IT security conferences around the globe.
Binary Applications Citrix Breakout Assessment Code Review
Binary Application Security
A wide variety binary applications are usually deployed within an organisation;
- CRM management
- Treasury management
- HR Management etc.
These applications (similar to web applications) can suffer from a number of security flaws which could result in scenarios such as loss of organisation’s reputation, financial fraud, loss in confidentiality, integrity and availability of organisation’s data etc.
7safe analyses binary applications against a number of security vulnerabilities using our application security testing methodology. Vulnerabilities searched for include;
- Design Flaws
- Authentication Flaws
- Input Validation
- Security of data in transit and at rest
- Secure Communication
- Logical Flaws
Whilst application vulnerability assessment tools are useful in such testing, 7Safe’s team of penetration testers rely on experience and intuition to find security issues and often uncover hidden flaws that would otherwise not be found in automated testing.
Citrix Breakout Security Assessment
CitrixTM is a Remote Desktop application that is widely popular. It is similar to Microsoft’s Terminal Services, RDP (Remote Desktop Protocol). Unlike Terminal Services, Citrix allows the administrator to specify certain applications to be run on the server. This allows them to control which programs they want to allow the end user to execute.
Citrix Security Testing
Due to certain mis-configurations which 7Safe regularly finds in client networks it is often possible for a malicious user to bypass such security restrictions and launch arbitrary applications. 7safe consultants undertake application security testing against Citrix deployments to test a wide variety of attacks. Such security testing is designed to identify whether it’s possible to “break-out” of the Citrix lock-down environment to launch arbitrary applications (e.g. cmd.exe) and if after the break-out it’s possible to carry out any malicious activity such as elevation of privileges, attacking the back-end systems etc.
