Web Application Security
What is Web Application Security?
Web Application Security is essential for all commercial website owners who rely on traffic to their page for business purposes. It is a specific form of Information Security that protects a comprehensive range of web platforms from security breaches. These include databases, social media sites and software. Therefore, in a global 24/7 economy, you can’t afford to spend time fixing web application vulnerabilities that could leave your site down for hours, days or even permanently.
According to research by Gartner, an estimated 70% of all security breaches are due to vulnerabilities within the web application layer (attacks exclusively using the HTTP/HTTPS protocol). Consequently, traditional security mechanisms such as firewalls and IDS provide little or no protection against attacks on your web applications.
Our Methodology and Approach
A web application security review identifies vulnerabilities inherent in the code of a web application itself, regardless of the technology in which it is implemented, or the security of the web server or back end database on which it is built. Furthermore, it analyses the critical components of a web-based portal, e-commerce application, or web services platform. A web application security audit can be performed separately, or in conjunction with web application pentesting. As a result, both assessments are complementary and model threats from different perspectives.
Using our detailed methodology, and a combination of manual techniques, and proprietary and commercial tools, this type of assessment pinpoints specific vulnerabilities and identifies underlying problems in the web application.
As part of a web application security assessment, our team will analyse the following key areas within your applications:
- Architecture
- Business Logic, Functional Specification & Implementation
- Authentication
- Access Control & Authorisation
- Cryptography
- Session Management
- Data Validation
- Error Condition Handling & Exception Management
- Data Confidentiality
- Management Interface
- Privacy Concerns
Typical Findings of Web Application Vulnerabilities
Our testing commonly reveals web application vulnerabilities including, but not limited to:
- Hidden manipulation
- Parameter tampering
- Cookie poisoning
- Cross Site Scripting (XSS)
- Stealth commanding
- Forceful browsing
- Directory traversals
- Session hi-jacking
- Denial of service
- Information disclosure
- Backdoors and debug options
- Configuration subversion
- Buffer overflow
- Vendor option exploitation
- Access to administration areas and internal modules
- SQL injection
- Improper management of permissions
- XML/SOAP vulnerabilities
- HTTP Attacks.
Our Services
Our approach to web application security testing and web services security is consistent with the practices documented in the Open Web Application Security Project (OWASP) guides. Furthermore, it is complemented with the extensive experience our consultants have gained by performing hundreds of prior engagements.
We can assist with the development of application security frameworks, application development training, the implementation of secure Software Development Lifecycles (SDLC), through to source code reviews and web application pentesting.
Sense of Security is also experienced with performing web application penetration testing which addresses the annual PCI DSS Compliance test requirements.
Above all, our consultants are not only security experts, but also have extensive software development knowledge and experience. This translates to pragmatic solutions and consistently successful client outcomes.
Web Application Security Resources
- Web Application Security Consortium
- Open Web Application Security Project
- SQL Injection Protection in PHP with PDO – Sense of Security Article
Recent IT Security Advisories
Sense of Security is recognised as Australia’s leading application security firm. Please visit our advisories page for a list of recently published advisories.
To discuss how our specialist services can help your organisation with application security please contact us on 1300 922 923 or complete the enquiry form by pressing the button below.