Application Security Assessment
An application security assessment is used to identify potential security threats and weaknesses in applications. Those weaknesses can enable the execution of an attack which may affect the confidentiality, availability and integrity of the data in applications (e.g., unauthorized access, data changes, denial of service, etc.).
Applications use different types of underlying technologies (web, mobile, client based, etc.). Regardless of their type, security threats can be linked to:
- a client;
- network or transport routes;
- server infrastructure.
A comprehensive application security assessment is performed in several phases, within which the architecture, modules and operation of the application are examined in detail. The typical types of weaknesses in applications are:
- access to data without authentication;
- insecure local data storage;
- execution of actions on behalf of another user, such as the execution of transactions, activation/deactivation of services, etc.;
- change of the password of another user to take ownership of that user account;
- privilege escalation of user rights, which enables the user to execute privileged actions, e.g., price changes, etc.;
- access to data or changes of data of another user.
With a detailed application security assessment, which includes user login, one can get a clear answer whether the application security controls are appropriate.The most in-depth identification of security weaknesses is obtained by the application’s source code security review, particularly as coding errors are often the primary cause of security issues. It is important that the review is performed by independent application security experts who were not involved in the application’s development. A source code security review is composed of several steps, where the customer provides all the available information (“white-box” principle). Firstly, a specialised software tool is used to identify potential security issues in the source code. Then, a manual review of the results is performed in cooperation with software developers from the customer and security experts from the assessor to eliminate false positives. Lastly, a penetration test is performed that unambiguously confirms the identified security weaknesses.