Application Security Auditing
As more organizations leverage the Internet for business and commercial transactions, attackers are focusing on applications to penetrate corporate security controls. Historically, develope rs have focused on functionality over security, which has presented an entirely new venue for attackers to launch exploits and compromise systems and information.
Redsand Networks's application security assessment provides a customized, extensive, impartial, and periodic security analysis of internally developed or commercial enterprise applications. This servic e evaluates current security standards and levels of compliance to give organizations a well-developed matrix of existing threats, application vulnerabilities, and real-world recommendation s to address specific weaknesses. In addition, we use a library of proprietary tests and custom-developed tools to check for vulnerabilities that cannot be identified through automated mean s.
Redsand Networks's services are performed only by experienced and credentialed professionals, most of whom are CISSPs. We participate in industry associations such as InfraGard, OWASP and OSSTMM open s
ource forums. All this is put to work for you; we go beyond the basic application assessment to:
- demonstrate due diligence for regulatory compliance (as applicable);
- assure web applications are sufficiently hardened;
- deliver actionable findings and strategic recommendations;
- provide knowledge transfer to your internal security resources;
- utilize dedicated senior project team with global recognition in the security industry.
Some organizations believe applications have security built in or are "good to go" out of the box. This is not usually the case. In fact, it is rarely true. Redsand Networks's trusted advisor services help put the security back into your applications:
- Redsand Networks does not rely solely on tools and scanners for application assessments scanning because of their relative immaturity. All our testing beyond basic URL scanning is performed manually by experienced security professionals.
- Redsand Networks performs comprehensive threat analysis to identify key assets needing protection and defines security threats to those assets.
- Redsand Networks will provide you with a detailed report on security vulnerabilities along with architectural and operational weaknesses identified based on our proprietary checklist that goes beyond requirements identified in the OWASP standard or checklist. Our findings report also provides detailed explanations of countermeasures necessary to secure applications, data assets, and resources, and outlines policy recommendations to ensure long-term compliance with industry best practices.
We offer a multitude of application security focused services including application auditing, hardening, and compliancy reviews. Why not become proactive in hardening your enterprise applications for your own benefits as well as your clients' benefits? Our solution is twofold: We will help you structure your Software Development Life Cycle (SDLC) to ensure security checks are in place in every stage of the SDLC, as well as audit your source-code or closed-source application for security related vulnerabilities. We understand that Source Code Analysis (SCA) may not always be an option and are willing to work with our clients. Performing blind, "black box" examinations of applications and appliances will help protect your intellectual property while still identifying and relieving even the most toughest vulnerabilities.
How would this help?
Redsand Networks offers several solutions but all are without bounds. We want to work with our clients to achieve a shared goal of better security policies and practices.
We will audit your application for security flaws, documenting in detail each identified vulnerability.
- Source Code Analysis (SCA): C/C++, Perl, ASP/.NET, C#, ColdFusion, Java, and many more.
- Binary Code Analysis (BCA): Blind analysis may be performed on an application using not only basic benchmarking test, but also advanced customized binary analysis to achieve greater accuracy in vulnerability identification.
- Mixed Code Analysis (MCA): Source Code Analysis (SCA) may be performed on portions of code, as well as a Binary Code Analysis (BCA) used on other portions of the application deemed "sensitive".
Detailed below is a typical contract outline for these services:
A typical agreement contains the following solutions:
- Introduction - An initial overview is required to determine the exact needs of the client, as well as an opportunity to ensure expectations will be kept throughtout the length of the contract.
- Education & Training - If desired, our expert staff will plan a two (2) to three (3) day training course tailored specifically to the clients needs. This will help educate and inform, giving the client the opportunity to ask detailed questions and advice.
- Security Analysis - This stage of our application analysis marks the quiet period. Within this period, our application security specialists delve into the project using one of the three code analysis categories (SCA, BCA, MCA). During this analysis phase, periodic status meetings will be scheduled to update those involved. If a serious security related flaw is found, we will notify the client immediately and work with them towards a speedy remediation cycle.
- Remediation - We will work with the client and their developers to ensure these security flaws have been perminently remediated. The greatest importance is placed upon this stage to ensure variations of the original vulnerability do not exist.
- Review - A final review of the contract will be held to ensure both our expectations as well as the client's expectations have been resolved. Upon completetion of this stage, our final invoice will be sent.
What about code updates in the future? Are we covered?
Redsand Networks offers an optional hourly allocation package to be applied for any general security consulting or for any new code or modified code written that may need auditing.
What if someone reports a vulnerability for our product; what about quality assurance?
Redsand Networks will help you work with security researchers in order to help both parties understand the security risks. We will also work directly with you to ensure the security issue is found and patched properly and will not be released by us until it has gone through our precise Quality Assurance testing procedure.
How can we prevent this?
So what is the solution to avoiding security flaws from the beginning? A Team Software Development Process. Give Redsand Networks the opportunity to educate and train your development staff in a proven development methodology that will best suite your design and development process. Our process has been shown to reduce the vulnerabilities to a count of 0.06 per 1,000 lines of code. So what's our secret? The first step to stopping vulnerable code is a focus on developer awareness.
Redsand Networks will work with you in order to help:
- Design applications with prevention in order to avoid security issues from the beginning
- Remove defects as soon as possible.
- Control the development process by measurement and quality control management
- Monitor the process and use predictive measures for remaining defects.