Web Application Security
CCLab proposes a step-by-step approach to its clients. The target security level can be reached on an increasing basis: first solving the most aching problems, then strengthening the security of the IT system gradually. During security evaluations we follow a methodology based on our Common Criteria evaluation experience.
“To be effective, Application Security” needs to cover the entire product development lifecycle: from design to implementation and testing - including training:
- Security by design
BCM consulting, BCP and DRP creation, UAC (User Acceptance Test) and security testing design and management, site security screening
- Secure coding training
- Vulnerability assessment
Using Flaw Hypothesis Methodology to analyse the operation and reveal possible vulnerabilities.
- Penetration testing
Our methodology is broader than ethical hacking, as it has expanded from our systematic evaluation methodology, which focuses on practical implementation. (conceptual black box testing, gray box testing and white box testing)
Examples of errors that can be corrected during hardening: lack of input validation (SQLi, XSS, RFI, LFI); bypassing of entitlement levels; weakly or poorly implemented cryptographic algorithms; memory management problems (Buffer Overflow), session management issues (session fixation, replay attack); vulnerabilities due to incorrect configuration.
- Security audit
This is a full site inspection which involves recognizing human behavioural patterns; examining areas in accordance with regulations; observing and enforcing security measures and deception, distraction; human behavioural change and social engineering techniques by applying information security awareness control.
For mobile applications CCLab proposes to follow the OWASP Mobile Application Security Verification Standard. The evaluation process is based on MASVS-L1 Standard Security level and additionally extended to MASVS-L2 Defense-in-Depth level.