Our Web and Mobile Application Penetration Services
Application Security Assessment (ASA) services provide a customized, extensive, impartial and periodic security analysis of internally developed or commercial enterprise applications. This service evaluates current “standards” and levels of compliance to give organizations a well-developed matrix of existing threats, application vulnerabilities and recommendations of real world solutions to address specific weaknesses.
Our consultants utilize a combination of automated and manual techniques to uncover vulnerabilities in clients’ systems and infrastructures. Both proprietary and commercial assessment tools are leveraged to best identify these vulnerabilities. To ensure the accuracy and quality of results, consultants perform false positive validation on each and every finding and all testing beyond URL scanning is performed manually.
We utilize a custom ASA methodology, developed through our extensive experience conducting ASAs and dynamic code reviews over the last fourteen years. Our ASA Methodology is based on the Open Web Application Security Project (OWASP) testing guide, NIST 800-115 and the Open Source Security Testing Methodology Manual (OSSTMM) Web Application Methodology. Our testing includes all testing requirements set out by the Payment Card Industry Data Security Standard (PCI DSS).
We perform ASA testing against both client and server applications including:
- Web Applications
- Mobile Applications
- Thick Client Applications
- Web Services
- Application Programming Interfaces (APIs)
We maintain a library of proprietary tests and custom-developed tools to check for vulnerabilities that automated means cannot identify. Additionally, we use Burp Suite Pro Web application vulnerability scanner.
We deliver our ASA services in three (3) service levels, based on client requirements and objectives:
- Application Penetration Assessments – Includes application scanning followed by intensive manual testing to identify application vulnerabilities. Application penetration assessments are typically performed on high risk applications, new applications or after major changes to an application. Reporting is fully customized and includes both positive and negative findings.
- Application Vulnerability Assessments – Includes application level scanning and manual testing to identify application level vulnerabilities. Application vulnerability assessments are typically performed annually on stable applications, after minor changes to an application or to test a specific application module. Reporting is customized and only includes negative finings.
- Mobile Application Security Assessments – Includes full interrogation of a mobile application and its associated services (Web Services & APIs) along with the server hosting those services. Mobile application security assessments are performed on release candidate versions or on productions versions of mobile applications. This includes iOS mobile applications and those found on the Android platform.
We believe in a proactive approach to security and a continuous assessment process and works with our clients to be an integral part of their Secure Software Lifecycle Development (SSDLC) process. However, each ASA offering can also be delivered as a one-time standalone assessment.
MASA & ASA Methodology – Download
Our Network Penetration Testing Service:
The goal of penetration testing is to simulate a hostile attack in order to discover vulnerabilities. The EnableIT ethical hacking team will conduct manual testing in conjunction with using a host of commercial, open source and internally developed tools to identify known and unknown vulnerabilities. The following criteria will be applied to all penetration tests.
Summary of Testing (non-exhaustive):
- Cross Site Scripting (XSS) Flaws
- Injection Flaws
- Malicious File Execution
- Insecure Direct Object Reference
- Cross Site Request Forgery (CSRF)
- Information Leakage and Improper Error Handling
- Broken Authentication and Session Management
- Insecure Cryptography Storage
- Insecure Communications
- Failure to Restrict URL Access
- Invalidated or Un-Sanitized Input
- Insecure Configuration Management
- Network Segmentation Testing
- Infrastructure Testing
Our Code Analysis service
EnableIT provides static and source code analysis using commercial and open source tools. Our SCA offering identifies vulnerabilities present in source code that dynamic code analysis might miss. Source code is scanned for common issues like input validation, buffer overflows, memory allocation functions and other issues that can lead to exploitable vulnerabilities within the application. Especially when combined with dynamic testing (penetration testing), SCA provides a deeper level of security testing.
Source Code Analysis follows the basic process steps below:
- Setup – includes loading code into an appropriate IDE and building the application
- Automated code analysis using commercial and open source tools
- Manual verification of findings
- Manual analysis – includes numerous checks for things like encryption, authentication controls, unvalidated input, use of session controls, error handling, and many others