Application Penetration Assessment

Find and fix application vulnerabilities

Next Steps:

Overview

Why let hackers discover your applications' vulnerabilities? Let Foundstone find your security weaknesses and fix them first. Foundstone can save your company’s reputation and prevent revenue losses.

The National Institute of Standards and Technology estimates that up to 92% of today’s vulnerabilities are at the application layer. Almost every major application in use today has experienced at least one critical vulnerability broadcast, resulting in loss of sales, as well as loss of reputation and customer trust. Foundstone Application Penetration testing service looks at an application from the perspective of a malicious hacker and finds the holes before they can be disclosed publicly and exploited.

Key Benefits

  • Find holes in applications before the hackers
  • Perform security quality assurance before applications are released
  • Understand your risk and the potential impact to your business and products
  • Trust our manual testing for accuracy and effectiveness
  • Secure active knowledge transfer of testing techniques, issues, and remediation

Methodology

The testing begins with static reviews of the binary executables and libraries that make up the application. Server-level scans search for known vulnerabilities and common misconfigurations. Our penetration assessment consultants then perform a discovery process to gather information about the application and search for information disclosure vulnerabilities that reveal secrets such as passwords, cryptographic keys, or customer information. With this data in hand, Foundstone conducts the bulk of the testing, which consists of:

  • Configuration management testing, including unearthing the presence of sensitive information in configuration files. It also seeks environment information that can be tampered with to alter application behavior, as well as secrets and textual strings in the application binaries or in memory.
  • Examination of data protection in storage and transit, when sensitive information is communicated across the network, or stored on a disk or database.
  • Authentication and authorization testing to determine opportunities for bypass and privilege escalation.
  • Session and state management checks for session hijacking and other such attacks.
  • Data validation testing detecting problems such as SQL injection and buffer overflows.
  • Error handling and exception management testing that attempt to crash the application into an insecure state or cause information disclosure through crash dump files.
  • Auditing and logging checks that attempt to subvert audit trails, create fake log entries, discover sensitive information from the log files, or use the logging mechanism as an attack vector.

During all of the testing, the main goal is to compromise the application's servers, remote agents, and clients. Additionally, Foundstone searches for application vulnerabilities that would allow an attacker to gain access to the underlying operating system or the backend database servers.