(If your interest extends beyond Application VAPT, please click here to view our full suite of Application Security Services.)
Critical business applications represent one of the most significant risks an organization faces. Performing appropriate security due diligence is integral to ensuring that applications perform as expected and that risks are mitigated to an acceptable level. Due diligence should be performed where justified by risk across the Data, Application, Technology and Process domains.
The first three domains are best addressed by the following activities (the extent & rigor of the activity generally increase as you progress down the list):
- Application Threat Assessment;
- Application Security Architecture Review;
- Application Vulnerability Assessment;
- Source Code Scanning;
- Security Code Review; and,
- Application Penetration Testing.
The fourth domain (process) is best addressed by the following activities:
- Operational Audit; and,
- Application Development Life Cycle Assessment.
The application's risk profile, its SDLC phase, and the importance of specific controls to reducing risk, are generally the predominant factors in determining which of the eight activities outlined above are optimal to provide the entity with an appropriate level of assurance. The order they are presented in may or may not be the logical order that a particular application may warrant.
To the extent possible our Application Security Assessment activities align with the "OWASP Application Security Assessment Standards Project". The project's primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements.