Commissum’s application assurance services offer advice on best practice in application assurance and security testing.
- CREST assured application security testing
- Comprehensive application security assurance service throughout the software development life cycle (SDLC)
- Objective, independent and pragmatic security advice
Application Testing Issues
Software applications are the reason for using complex computer systems. They are the means of harnessing the power of the hardware, to provide value through functionality. Applications are the access points to your information assets.
Unfortunately, owing to their complexity and the inevitable business pressures during development, applications are more often than not the weak points in an organisation’s security. Organisations are understandably focused on ensuring that business functional requirements are delivered by the development teams; time-to-market can be critical for application development. In this environment, it is all too easy to overlook critical flaws in design, code implementation, or underlying vulnerabilities in the commercial components that are an integral part of the application or the environment in which it operates.
Attackers are only too aware of the potential weakness in applications, and application level attacks are still one of the major sources of unauthorised access to, or misuse of, systems today. By their very nature, they bypass traditional defences, and are extremely difficult to detect.
There is therefore always a delicate balance to be struck between functional requirements, business needs, and security risk. Commissum is able to provide comprehensive application security assurance services, that include design assurance consultancy throughout the development lifecycle, development audit, critical phase review, code review, and specialist security application testing.
Ideally, a client will engage the services of Commissum’s security assurance specialists at the earliest phases of a project. It is significantly more cost-effective to design with best-practice security in mind from the start. However, the knowledge and skills of the Commissum team can be applied at all stages, particularly as independent security testers as part of system proving.
The approach taken to any assignment can be either “Black Box” (limited prior knowledge) or “White Box” (full application knowledge), although ideally a combination of both approaches is used for greatest effect.
Depending on the agreed scope, the following elements may be included in testing:
- Test functions exposed to users or other applications
- Monitor network traffic for transmission of information of benefit to an attacker
- Test for a wide range of typical vulnerabilities including the OWASP top ten
- Test for resilience to inappropriate data input
- Review systems software for known security flaws and common coding errors
- Check infrastructure implementation for secure operation
- Test that application not prone to “fail open”
- Check the protection of sensitive information and administrative functions
- Code review through use of automated tools or manual checking or a combination of both
- Code assisted testing
Application Testing Customer Benefits
- A concentrated pool of security-focused resource to advise on best practice security implementation
- Objective, independent, current security knowledge of a wide range of commercial software and applications
- Comprehensive testing of bespoke applications by drawing on concentrated security knowledge to devise tailored threat scenarios: thinking like an attacker is different from thinking like a user
- Advice on best practice measures and corrective action required to improve security deployment and integrity
- Independent expert assurance that applications and processes are able to resist a range of attacks
- Confidence that the system will not make headlines as a hacker’s, criminal’s or terrorist’s latest victim
Commissum is able to recommend hardened configurations for system components that enable required functionality, while disabling unneeded features and improving integrity and resistance to attack.
Download the Application Security PDF now (40.1k)