Application Security Testing
Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the web application. The need to secure an application is imperative for use in today’s world. Until recently, application security was an afterthought; developers were typically focused on functionality and features, waiting to implement security at the end of development. This approach to application security has proven to be disastrous; many vulnerabilities have gone undetected allowing applications to be attacked and damaged.
CGF Working Model For Web Penetration Testing
Our goal is to simulate an attacker and to emulate what a real hacker would do; however, the main purpose of an assessment is to make the organization stronger and more resilient to attack.
Web Application Penetration Testing ( WAPT )
Mobile Application Penetration Testing
OUR TESTING METHODS
Black Box Testing
Grey Box Testing
White Box Testing ( CODE REVIEWS)
Web Application Security Testing
By default CGF follows its own structured testing methodology which covers all OWASP checklist & Top 10 attacks, OSSTMM(Open Source Software Testing Methodology Manual), SANS 25 errors and other new attacks and Business Logic Vulnerabilities with both automated and manual testing.
OWASP TOP 10 Attacks:
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object References
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards
OWASP Testing Standards & Guidelines
SANS 25 Errors
Open Source Software Testing Methodology Manual (OSSTMM) Controls
Business Logic Vulnerabilities
HTML5 Security Vulnerabilities
Web Services Security Vulnerabilities
New Attacks: Cross Site Port Attacks(XSPA),Server Side Includes etc.
Android Application Security Testing
Due to significant increase in use of smart phones and mobile applications in the last few years, the attacks on the mobile applications increased rapidly. With the advent of 3G and 4G networks smart phones are increasingly used for financial, business and social transactions, for accessing the INTERNET and for media consumption.
Mobile applications have provided convenient access to bank accounts, credit card data, personally identifiable information (PII), travel itineraries and personal emails to name a few. The enterprise mobile applications extend corporate networks beyond the perimeter devices and thus potentially expose these organizations to new types of security threats.
Through 2015, more than 75 percent of mobile applications will fail basic security tests, according to Gartner, Inc.
CGF Security Team:
CGF Security Team tests & verifies all security issues to make sure the app follows the latest mobile security best practices.CGF dig’s deep to look for vulnerabilities that can cost you time, money and reputation. CGF follows OWASP top 10 guidelines with more focus on Top 10 Mobile Risks,and reverse engineering, other application vulnerabilities
Top 10 Mobile Risks
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections
Other Tests We Do
Reverse Engineering the Application and finding the critical information disclosures & other flaws
Other Application Layer vulnerabilities like XSS,SQLi,CSRF etc
Business logic Vulnerabilities.