Application Security Assessment
Research has proven that detecting security vulnerabilities in earlier phases of the development life cycle results in substantially lower development costs while at the same time producing software with fewer security defects. AppSec Consulting can help you achieve these goals by performing a security architecture and design review well before your coding is complete. Uncovering security gaps at this stage will allow you to deploy a more robust application with fewer surprises during penetration testing.
The core of our architecture and design review methodology is a process called threat modeling, in which we evaluate your controls against a wide variety of common threats as well as threats that are specific to your application. If we identify missing or inadequate controls, we provide practical remediation advice that is tailored to your application and business.
The AppSec Consulting Difference
- We employ senior consultants who possess extensive software design and development experience. They apply their experience and expertise to helping you improve the security of your applications.
- Our reporting differentiates us from the competition - you'll receive a custom-written report containing expert advice tailored to your business.
- We're with you every step of the way throughout the remediation phase and can follow up this review with a code review and/or runtime assessment when you are ready.
- Preparation – AppSec Consulting will verify that it has received the following information from the customer in preparation for the assessment.
- Design documentation for the application
- Contact information for application point(s) of contact that can answer AppSec Consulting’s questions during this assessment. This would typically include the lead developer and/or architect for the application.
- Documentation Review – AppSec Consulting will review the application design documentation and become familiar with the overall design and the security controls that are included in the design.
- Interviews – AppSec Consulting will interview key personnel from the application team to learn about the application’s design, the security controls that are in place, and how the application is designed to protect against a list of common threats. The personnel will also be asked about any specific threats that are of special concern for this application.
- Threat Modeling – The application and supporting infrastructure’s design will be assessed against a list of common threats to determine whether or not sufficient security controls are built into the design. This list of threats will include, but is not limited to:
- Attacker brute-forces a user’s credentials
- Attacker gains access to user’s session ID
- Attacker access the application without valid credentials
- Malicious user retrieves another user’s data
- Attacker gains access to the back-end database
- Attacker crashes the application, denying service to other users
- Attacker sniffs sensitive information transmitted over the network
- (Contact us to obtain the full list.)
- Report Preparation – AppSec Consulting will take the results of the threat modeling and security design review and compile a consolidated report, detailing all vulnerabilities uncovered during the assessment process along with severity levels and recommendations for how to remediate all vulnerabilities that are identified.
What You Get
- An actionable, custom-written Architecture / Design Review Report, which describes the application's security posture and lists all vulnerabilities identified. We also provide a threat model matrix that describes the controls that are in place or missing in relation to each vulnerability, along with custom remediation advice.
- Expert consultation throughout the remediation phase.