SECURITY ASSESMENT

Whether you develop corporate applications internally, or purchase them from third parties, you'll know that a single coding error can create a vulnerability exposing you to attacks resulting in considerable financial or reputational damage. New vulnerabilities can also be generated during an applications lifecycle, through software updates or insecure component configuration, or can arise through new attack methods.

Kaspersky Lab's Application Security Assessment uncover vulnerabilities in applications of any kind, from large cloud-based solutions, ERP systems, online banking and other specific business applications, to embedded and mobile applications on different platforms (iOS, Android and others).

Combining practical knowledge and experience with international best practices, our experts detect security flaws which could expose your organization to threats including:

  • Syphoning off confidential data
  • Infiltrating and modifying data and systems
  • Initiating denial of service attacks
  • Undertaking fraudulent activities

Following our recommendations, vulnerabilities revealed in applications can be fixed, and such attacks prevented.

SERVICE BENEFITS

Kaspersky Lab Application Security Assessment Services help application owners and developers to:

  • Avoid financial, operational and reputational loss, by proactively detecting and fixing the vulnerabilities used in attacks against applications.
  • Save remediation costs by tracking down vulnerabilities in applications still in development and test, before they reach the user environment where fixing them may involve considerable disruption and expense.
  • Support a secure software development lifecycle (S-SDLC) committed to creating and maintaining secure applications.
  • Comply with government, industry or internal corporate standards covering application security, such as PCI DSS or HIPAA

ABOUT KASPERSKY LAB’S APPROACH TO APPLICATION SECURITY ASSESSMENT

Security assessments of applications are performed by Kaspersky Lab security experts both manually and through applying automated tools, with full regard to your systems’ confidentiality, integrity and availability and in strict adherence to international standards and best practices, such as:

  • Web Application Security Consortium (WASC) Threat Classification
  • Open Web Application Security Project (OWASP) Testing Guide
  • OWASP Mobile Security Testing Guide
  • Other standards, depending on your organization’s business and location

Project team members are experienced professionals with a deep, current practical knowledge of the field, including different platforms, programming languages, frameworks, vulnerabilities and attack methods. They speak at leading
international conferences, and provide security advisory services to major vendors of applications and cloud services, including Oracle, Google, Apple, Facebook and PayPal.

SERVICE SCOPE AND OPTIONS

Applications assessed can include official web sites and business applications, standard or cloud based, including embedded and mobile applications.

The services are tailored to your needs and application specifics, and may involve:

  • Black-box testing emulating an external attacker
  • Grey-box testing emulating legitimate users with a range of profiles
  • White-box testing analysis with full access to the application, including source codes; this approach is the most effective in terms of revealing numbers of vulnerabilities
  • Application firewall effectiveness assessment  applications are tested with and without firewall protection enabled, to find vulnerabilities and verify whether potential exploits are blocked

RESULTS

Vulnerabilities which may be identified by Kaspersky Lab Application Security Assessment services include:

  • Flaws in authentication and authorization, including multi-factor authentication
  • Code injection (SQL Injection, OS Commanding, etc.)
  • Logical vulnerabilities leading to fraud
  • Client-side vulnerabilities (Cross-Site Scripting, Cross-Site Request Forgery, etc.)
  • Use of weak cryptography
  • Vulnerabilities in client-server communications
  • Insecure data storage or transferring, for instance lack of PAN masking in payment systems
  • Configuration flaws, including ones leading to session attacks
  • Sensitive information disclosure
  • Other web application vulnerabilities leading to the threats listed in WASC Threat Classification v2.0 and the OWASP Top Ten.

Results are given in a final report including detailed technical information on the assessment processes, results, vulnerabilities revealed and recommendations for remediation, together with an executive summary outlining management implications. Videos and presentations for your technical team or top management can also be provided if required.

DELIVERY OPTIONS

Depending on a type of security assessment service, specifics of systems in the scope, and your requirements to work conditions, security assessment services can be provided remotely or onsite. Most of these services can be performed remotely.