Application Security
Pivot Point Security provides comprehensive application assessment services (e.g. SDLC review, Static Application Security Testing, Software Composition Analysis, Dynamic Application Security Testing, Penetration Testing) to help organizations validate that critical business applications are appropriately secured. Our team of experts will work together with yours to analyze your application’s code and infrastructure to identify any security weaknesses that could be exploited by malicious actors. We will also provide guidance on how best to address any identified issues. With Pivot Point Security’s expertise in application security penetration testing, you can rest assured that you will achieve a provably secure and compliant Application Security posture.
During an Application Penetration Test, our ethical hackers provide the following services:
- Manual and automated testing to ensure complete coverage when determining weaknesses in your web applications
- Alignment with the Open Web Application Security Project (OWASP) to ensure that the most common application exploitation mechanisms have been mitigated
- Formal reporting including gap analysis, relevant findings, and a mitigation roadmap
Application Penetration Tests provide:
- An understanding of your application vulnerabilities and a measure of the impact if they are exploited
- An identification of flaws in business logic that Vulnerability Assessments may not find
- An inexpensive means of providing attestation to the net security posture of an application
- A best practices approach to formal Security Certification & Accreditation of critical applications
- Critical input to moving your application towards Secure Software Development Framework compliance (NIST 800-218)
During an Application Penetration Test, a Pivot Point Security engineer simulates a real life attack on your application’s security controls to gain access to sensitive data. Unlike an automated scan, our hands-on approach provides intelligent and customized responses, avoids false positives, and demonstrates the effects of actual vulnerabilities within an application. Application Pen Testing lets you know whether a real world hacker could do real harm to your system and your company.
Pivot Point Security’s expert analysts address the most important security threats using the OWASP methodology, including:
- SQL Injection
- OS Command Injection
- Broken Authentication & Session Management
- Insecure Direct Object References
- Cross Site Scripting
- and More…
APIs are now an important part of almost every application development project, including web applications and mobile apps. But due to the increased usage of APIs, especially from third-party sources (Google Maps API, Facebook Graph API, LinkedIn REST API, etc.), it’s often challenging for developers to prove their APIs and overall web applications are secure.
Application developers and owners face increasing pressure to identify and mitigate the vulnerabilities within their application’s architecture and prove it is secure to customers and other stakeholders.
A Web Application Architecture Review and Threat Assessment conducted by Pivot Point Security in accordance to the OWASP Application Security Verification Standard (ASVS) framework identifies all possible vulnerabilities/risks and measures the security of existing controls against best-practice control implementations.
While cloud and on-premises applications may have different architectures; both can contain vulnerabilities that pose serious business risk. It doesn’t matter whether it lives under your desk, in your data center or in the cloud—if an application is used in your business, it should be included in your security program.
Andrew van der Stock the President of OWASP summarized the difference on the vCISO podcast (paraphrased): “The OWAS Top 10 is an awareness document. It is essentially a list of things that go wrong with web apps or things “not to do”. The OWASP ASVS is a list of things that you should do.” The OWASP Application Security Verification Standard (ASVS) is a holistic, comprehensive application security that outlines 262 best practices that your development team can use during the build phase and your security assessment team can use pre-release.
It is highly preferable to test in a prod identical QA environment. To test for the most significant vulnerabilities (e.g., persistent injection attacks) penetration testers and tools will attempt to write to crucial files and/or the database, which could result in data loss or corruption for your users. If necessary/preferable, those findings can be carefully validated in the production environment.
