Focused Application Testing
En Garde reviews services, protocols, untrusted data, and user interaction models from a focused security perspective, allowing you to avoid embarrassing security exposures or costly deployment of patches.
Flawed code and vulnerabilities that pop up in generation after generation of software make a hacker's job easier. Detailed application level testing allows the system to be rigorously tested, focusing on how attacks would be instigated against the system, including: where the application gets information, how that information is processed, and what effect does the information have on the underlying system. During an application review En Garde performs analysis to (i) identify any flaws, errors, or other liabilities inherent to the software; (ii) measure the extent to which identified flaws/errors can be exploited to compromise or otherwise used to subvert system processes and security; and (iii) recommend patches, configuration changes, or other corrective actions that can be taken to strengthen system security. Details of all work performed, including testing and our analysis of network security conditions, is consolidated into a comprehensive report.
Design and Architectural Reviews
En Garde starts by reviewing the design
and goals of the application to determine what types of security
controls are anticipated. Many times applications have to work with
untrusted user data and the control and isolation of that data
becomes a critical design and data flow area. Additionally, many
applications provide their own security functions, for example
access control permissions to limit access within the program, and
these features require special consideration.
Threat Modeling and Risk Analysis
En Garde will walk through the
application with you to determine the most critical types of attacks
and threats. The threats can range from
reliability issues like dealing with 100,000's of requests to data
sensitivity issues such as no credit cards should ever be exposed to
the user. Given these threats we then evaluate the application's
digital risk level.
Test and Validation
In addition to reviewing the design and proposed security functionality, we take a hands-on look at the application implementation to look for programmatic and integration errors which may allow an attacker to gain access to the data, application controls, or host system.