Are your web applications sufficiently hardened to withstand today’s attackers?
Attackers can compromise data directly through techniques such as SQL Injection and Cross Site Scripting, but they can also use web applications to establish a foothold into your network, from which they can pivot to other assets and uncover sensitive or valuable data. Automated tools are not enough to uncover these types of attacks.
Together Entisys360 & PTP can provide an Application Security Assessment (ASA) of the transactional elements of your web based application. Applications such as online banking, on-line trading, eCommerce, Business to Consumer (B2C), Government to Citizen (G2C), or any other critical application should have a comprehensive assessment of its security posture. An ASA will provide you with confidence that your development team or third party developer has built a secure application and that your organization has demonstrated due diligence in its efforts to protect confidential or sensitive information.
Together, our approach to security assessments begins with established methodologies from organizations like the Open Web Application Security Project (OWASP) and the Institute for Security and Open Methodologies (ISECOM). We apply these methodologies using a balanced combination of automated tools and manual techniques with an emphasis in discovery of vulnerable application logic that cannot be found using an automated approach. Our certified professionals then add their own experience and creativity to provide a real world scenario that would be common in attacks by experienced cyber criminals and state sponsored actors.
This assessment will uncover vulnerabilities in the areas of:
- Web Server Configuration (IIS, Apache, IBM, Oracle, etc.)
- Authentication and Authorization
- Session Management
- Business Logic
- Transport Security (how data is moved)
- Cache Control (to prevent exposure of sensitive data)
- Data Integrity, Error Handling, and Validation (such as Buffer Overflows, and SQL Injection)
- Web Services (SOAP, WSDL, XML, WCF, RIA)
- The compromise of User ID’s, passwords, or session credentials through Cross Site Scripting (XSS) attacks
- Full database access through SQL injection attacks resulting in exposure of Personal Privacy or HIPAA data
- User A being able to access User B’s account and perform actions such as a transfer of funds from user B’s account or placing an online trade (Broken Authentication and Session Management)
- The ability to duplicate legitimate user sessions (Session Cloning) through weak Session Management
- Manipulation of parameter and form variables to view other member or customer data (Insecure Direct Object Reference)
- Third party web sites that can trick a user’s browser into performing an action using the user’s current session in your web application (Cross Site Request Forgery)
- Post-login forwarding attacks that redirect users to a malicious site (Unvalidated Redirects and Forwards)
- Access to administrative pages by unauthorized users (Missing Function Level Access Control)
Business benefits Include:
- Regulatory compliance where applicable
- Decrease business risk by enhancing overall security posture
- Provide demonstrated due diligence
- Protection of the organization’s reputation
- Reduced litigation expenses
- Decrease the expense and publicity of a breach notification
- Often allows for reduced insurance premiums where applicable
- Peace of mind that your application is well hardened
- Increased awareness by developers that will carry over to future development projects
Technical benefits Include:
- A hardened transactional web application that can better resist a concerted application level attack
- Reports that can also serve as guidelines and help educate your developers
- Reduced code refactoring time and expense through early detection and mitigation
Together, our solutions help organizations deal with outdated technology and inefficient processes and are experts at reengineering applications that span multiple systems, software languages and platforms. We offer solutions that allow for the seamless migration of applications across architectural platforms and provide end-to-end custom software application development from initial use case analysis through post-implementation support.
“WE KNOW GOVERNMENT”
Together, Entisys360 and PTP have significant experience in systems integration and application development building browser-based applications for the largest government clients. We can leverage that experience and expertise to replace or build new enterprise applications, extend or add customer-facing websites or to develop mobile websites or mobile applications to deliver world-class customer service solutions.
We know Security. Entisys360 & PTP have proven processes and methodologies which allow us to detect a wide variety of application vulnerabilities. Automated tools are only a small part of what we do. Our Security Specialists carefully study how the application works and identify risks and vulnerabilities that cannot be detected by automated scanners. A thorough examination of how the developer built the application along with in-depth experience in application development and hacking techniques allows us to apply a real-world scenario experience that would be common in real attacks by cyber criminals.
Our security solutions provide our government clients with a full range of security and privacy services to help them meet the challenges they face as they expand their online presence. With the move toward Government 2.0, security requirements increase exponentially. We can help with all aspects including policy writing, network and application security assessments, becoming compliant with industry standards, developing security requirements, performing gap analysis, providing developer training, and more.
We are your Cybersecurity Program Partners
Because we are invested in helping you minimize cybersecurity threats, we…
- Leverage our deep, diverse experience across industries – Our consultants have performed over 300 security projects for the public and private sectors, including the Intelligence Community and 8 of the 10 largest financial institutions in the world
- Offer a full range of security and privacy services to help you expand your online presence – With new Government enabling technologies come increasing security requirements—we help you mitigate the risk associated with your digital growth
- Utilize our own state-of-the-art methodology to simulate a real cyber-attack – Automated tools are useful but only a part of what we do – we carefully study how your systems and applications work to identify risks and vulnerabilities that cannot be detected by automated scanners, allowing us to apply real-world scenario experience that would be common in real attacks by cyber criminals
Cybersecurity Solutions & Services
Web Application Penetration Testing
- WAPT Methodology
- Identification & Scoping
Network Penetration Testing
- External and Internal
Network Testing Security Roadmaps
- Analyze Current State
- Prioritized Approach
- Sustainable Program
Enterprise Security Assessment
- Business Objectives
- Enterprise Risk Assessment
Some clients we are partnering with who are now benefiting
Security works best if treated as a program that is continually improved, and not only as a checkmark on a compliance report. We will analyze your current information-security states and compare them to practical starting points tailored to your business needs. Next, we work with you to outline a sustainable information security program and identify the priorities that will pay the highest dividends for your organization.
IR is not a one-time event; rather, it is a continuous lifecycle that generates ongoing best practices. Most mature IR teams achieve greater success in detection and containment by using proactive continuous monitoring and response rather than reactive intermittent response processes. We can help your organization craft an incident response plan and capability. Additionally, we can partner with your personnel to resolve incidents.
Compliance assessments are all about “knowing what you don’t know”. An “outside” view is fundamental to avoiding conflicts of interest and oversight of key potential vulnerabilities. We work with you to help ensure your business processes designed to achieve your business objectives are secure.
Key elements include an Enterprise Security Assessment and protection from damage scenarios.