De-risk Your Applications - EVRY

Download PDF
23 downloads 149 Views 498KB Size Report
Comment
With the exponential increase in Web, Mobile, Cloud and IoT applications, the ... e-commerce platform and exploit the vu
De-risk Your Applications S U B SC R I B E TO E VRY ’ S S EC U R IT Y TE S TI N G A S A S ERVI C E (S Ta a S) TO DAY !

With the exponential increase in Web, Mobile, Cloud and IoT applications, the security risks and challenges in protecting sensitive data have also increased manyfold. Now, the focus on security is at its peak. This situation is challenging due to the rapidly evolving technologies as well as increase in attack vectors and entry points. Any security incident or breach will not only result in loss of sensitive data and damage the reputation of the organization, but will also result in loss of business and imposing of penalties due to non-compliances. Hence, organizations should focus more on considering security aspects at all stages of application development to avoid expensive and time-consuming changes to the Architecture / Code later down the development cycle. Based on our experience of testing over 150 applications, we have observed that most of the vulnerabilities exist at the application layer. This is a clear indication that application is the weakest link for hackers to attempt a break-in. At EVRY, we follow the industry standard OWASP based methodology to identify the vulnerabilities, suggest best practices in mitigating the risk and help our customers to move to production with confidence. EVRY’s Certified Ethical Hackers have experience of conducting a large number of tests over several years on web / mobile applications and networks in various domains such as Banking & Finance, Insurance, Healthcare, Retail and ISVs.

2

DE-RISK YOUR APPLICATIONS

Testing Types

Offerings

>> Threat modelling >> Vulnerability assessment >> Penetration testing >> Security code review >> Secure SDLC assessment

Web Application Security

Mobile Application Security

Tools >> Burpsuite Professional >> Nmap >> Nessus

Network Security

API Security

>> Wireshark >> Metasploit Penetration

Guidelines Cloud Security

IoT Security

Differentiators

>> Open Web Application Security Project (OWASP)

Compliances >> PCI DSS

>> Industry standard methodology based on OWASP for better coverage

>> HIPAA

>> Experience in conducting numerous security tests

>> SOX

>> Experience in varied domain’s from Banking & Finance, Insurance, Healthcare, Retail and ISVs >> Dedicated test lab with extensive tool kit

DE-RISK YOUR APPLICATIONS

3

Subscription-based Security Testing as a Service (STaaS) Any application in its lifecycle goes through a lot of changes viz. new features addition, bug fixing, etc. These code changes may inadvertently introduce a security loophole that demands periodic vulnerability assessments. To tackle this, EVRY’s annual subscription service for security testing includes Automated Scans and Manual Assessments. By doing this, we ensure to minimize security issues seeping into your apps.

EVRY’s Subscription-based Security Testing as a Service (STaaS) Quarterly Automated Scanning

Automated vulnerability scanning

Quarterly Manual Vulnerability Assessment

Manual assessment & penetration testing of the application

Benefits

>> Periodic security validation against major releases >> Meeting security compliance >> Tracking vulnerability trend of application >> Cost saving

4

DE-RISK YOUR APPLICATIONS

Case Study Client Overview

Our client is one of the major departmental store chain in the USA and sells apparel at discounts. They also have an e-commerce application where buyers can search and shop for popular brands at discounted prices.

Business Requirement

This client was planning for a major product release and wanted to ensure that there were no major security loopholes in their e-commerce application before taking a decision for moving to production. Hence, they wanted to conduct a thorough application security test. The scope was to conduct a detailed Vulnerability Assessment of the e-commerce platform and exploit the vulnerabilities by conducting penetration testing. The focus was manual assessment rather than tool-driven scans as another vendor had already finished tool-driven scans.

EVRY’s Solution

Our Security Team first understood all the critical workflows of the application, identified all the entry points to the application and out-of-scope external services for the validation. Then we identified all the scenarios for validation, as per the industry standard methodology — OWASP top 10. Our team then thoroughly tested the application for different type of attack vectors such as XSS, CSRF, session fixation, business logic bypass, sensitive information disclosure, insecure direct object reference and privilege escalation vulnerabilities to further identify around 20 vulnerabilities. EVRY created a detailed report of all the vulnerabilities along with defects “severity” and the “remediation steps” for fixing the identified vulnerabilities. We provided detailed recording of the defects for easy reproducibility. EVRY also retested the vulnerabilities and verified them after fixes were done.

DE-RISK YOUR APPLICATIONS

Business Impact

EVRY’S Security Team identified several Critical / High business-logic vulnerabilities, the scanning tool had failed to identify and thus helped the project team to make the application secure. This team fixed the identified vulnerabilities and moved the project to production with an improved confidence.

“...EVRY Team has provided excellent overall value, much better experience than with other Indian companies used by DATAGENIX till date and based upon feedback from other peer companies that have used Indian resources as well.” - Mark Oja CEO, Datagenix

5

For more information about all our solutions and offerings, get in touch with: [email protected] or [email protected] USA Headquarters: EVRY USA Corporation 1425 Greenway Drive, Suite 490 Irving, Texas 75038, USA Phone: 972-514-1113 / 1-844-9-EVRY-USA Fax: 972-514-1109 www.evry.com/us India Headquarters: EVRY India Pvt. Ltd. Ground Floor, No. 42, 27th Cross Brigade Software Park 1, Building B Banashankari Stage 2, Bangalore – 560 070 Karnataka, India Phone: +91-80-67388000 Fax:+91-80-67386802 www.evry.in Global Headquarters: EVRY AS Snarøyveien 30A 1360 Fornebu, Norway Tel: +47-06500 / +47-2314-5000 [email protected] www.evry.com

Copyright © 2017 by EVRY India. All rights reserved. The contents of this document are protected by copyright law and international treaties. EVRY India acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document. The reproduction or distribution of the document or any portion of it thereof, in any form or by any means without the prior written permission of EVRY India is prohibited.