SlideShare a Scribd company logo

we45 - Web Application Security Testing Case Study

W
we45

we45 performed a comprehensive security test of a large messaging gateway's platform over 5 years. They identified deep injection flaws and unauthorized access to web services. we45 presented detailed findings, which were remediated. The client now has an enhanced security program with we45 as a long-term security partner.

1 of 15
Download to read offline
we45‘s Web Application Security Solutions Web Application Vulnerability Assessment and Penetration Testing Secure Software Development Lifecycle Implementation and Consulting Application Security - Code Review and Walkthroughs Web - Product Security Consulting and Design
Web App Security Testing - Case Study One of the largest Messaging Gateways in the APAC region engaged with we45 Performed Web Security Tests for over 5 years with other providers, but not sure about results Complex Application with multiple interfaces including Web Services Engaged to perform Comprehensive Web Security Penetration Test
Key Objectives Perform Comprehensive Security Test of Messaging Gateway Platform Identify key risks to User Information Perform detailed security analysis of Web Services - Revenue Effect Provide comprehensive reports detailing recommendations
The we45 Approach
Application Overview and Threat Modeling we45’s Security Experts identified the application’s key functionality through an Overview process. Identified Key Potential Risks to the application through using Security Risk Assessment we45’s Methodology - Created by CTO Abhay Bhargav, detailed in his book Secure Java for Web Application Development Derivative of the world-class OCTAVE and NIST Risk Assessment Methodologies - Focused on Web Apps
Application Security Risk Assessment & Threat Modeling - 2 Application Security Threat Modeling - Critical in identifying potential attack scenarios Identified Trust Boundaries for the in-scope Web Apps Extremely useful for Code Reviews, Security Testing and Application Security Documentation we45’s Security Experts perform Threat Modeling based on Microsoft’s renowned STRIDE Methodology
we45 Web Application Security Testing Hybrid Methodology - Automated and Manual Web Application Security Testing for target application Apart from commercial and open source assessment tools, we45’s Security Experts developed special scripts and tools to identify Security Flaws Security Flaws assessed - OWASP Top 10, WASC Security Flaws, SANS Top 25, CERT-US Secure Coding Guidelines Security Flaws for Web Services - evaluated in detail.
Security Testing Methodology
A Few Key Findings.... Deep-seated Injection Flaws in several sections of the application Utilized specialized Injection attacks to gain access to backend database Enumerated users and hashed passwords, including admin and DB users Utilized Password cracking techniques to crack password hashes Web Services Flaws Unauthenticated Access to critical web services Lack of Authorization checks and controls Deep-seated issues identified with the REST Interfaces
Review & Presentation Findings presented to Developers, Project Managers and CTO Findings were explained in detail by we45’s Security Experts Findings were prioritized and agreements on remediation were reached
Analysis & Reporting we45 prepared a detailed Security Risk Assessment and Code Review Report Report was ranked by severity of findings. Findings were referenced with Industry metrics like CWE, CVE and so on. Examples were provided as code- snippets with line number information Multiple Recommendations and Remediation Strategies were provided Executive Summary and Action Plan prepared for Management Action
Results & View into the Future Results: With we45’s support, client was able to remediate all the security flaws with the application Enhanced Security through implementation of a Secure Software Development Lifecycle. The Client was awarded by their industry peers for Security Practices and Security Initiatives The Future: we45 is the trusted Application Security Partner for this client we45 also provides detailed product security consulting for the client’s products
we45‘s Web Application Security Solutions Web Application Vulnerability Assessment and Penetration Testing Secure Software Development Lifecycle Implementation and Consulting Application Security - Code Review and Walkthroughs Web - Product Security Consulting and Design
we45 - Web Application Security Testing Case Study

Recommended

Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 

Recommended

Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
Cigital
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
vodQA
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
Ho Chi Minh City Software Testing Club
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Security testing ?
Security testing ?Security testing ?
Security testing ?
Maikel Ninaber
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing Document
Minhas Kamal
 

More Related Content

What's hot

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
Cigital
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
vodQA
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
Ho Chi Minh City Software Testing Club
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 

What's hot (19)

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 

Viewers also liked

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Security testing ?
Security testing ?Security testing ?
Security testing ?
Maikel Ninaber
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing Document
Minhas Kamal
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
Stephan Kaps
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 

Viewers also liked (7)

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
Security testing ?
Security testing ?Security testing ?
Security testing ?
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing Document
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 

Similar to we45 - Web Application Security Testing Case Study

Security Code Review Case Study - we45
Security Code Review Case Study - we45Security Code Review Case Study - we45
Security Code Review Case Study - we45
we45
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Studywe45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
Abhay Bhargav
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
SQA V And V Intro & History
SQA V And V Intro & HistorySQA V And V Intro & History
SQA V And V Intro & History
Douglas Gabel
 
Sqa V And V Share
Sqa V And V ShareSqa V And V Share
Sqa V And V Share
guest0b67e9
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
guest609a5ed
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
Hannan Ahmed
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014
Andrew Ames
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
University of Sargodha
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
 
Web Application Security.pdf
Web Application Security.pdfWeb Application Security.pdf
Web Application Security.pdf
Briskinfosec Technology and Consulting
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
Ashish Patel
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development
Rogue Wave Software
 
Website Security Service.pdf
Website Security Service.pdfWebsite Security Service.pdf
Website Security Service.pdf
Briskinfosec Technology and Consulting
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 

Similar to we45 - Web Application Security Testing Case Study (20)

Security Code Review Case Study - we45
Security Code Review Case Study - we45Security Code Review Case Study - we45
Security Code Review Case Study - we45
 
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Studywe45 - Infrastructure Penetration Testing with LeanBeast Case Study
we45 - Infrastructure Penetration Testing with LeanBeast Case Study
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
SQA V And V Intro & History
SQA V And V Intro & HistorySQA V And V Intro & History
SQA V And V Intro & History
 
Sqa V And V Share
Sqa V And V ShareSqa V And V Share
Sqa V And V Share
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Web Application Security.pdf
Web Application Security.pdfWeb Application Security.pdf
Web Application Security.pdf
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development
 
Website Security Service.pdf
Website Security Service.pdfWebsite Security Service.pdf
Website Security Service.pdf
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 

Recently uploaded

antivirus and security software | basics
antivirus and security software | basicsantivirus and security software | basics
antivirus and security software | basics
basicsprotection
 
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
Traditional Healer, Love Spells Caster and Money Spells That Work Fast
 
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptxTop Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Merchantech - Payment Processing Services
 
Solar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In OneSolar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In One
John McHale
 
Exceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in MelbourneExceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in Melbourne
Outdoor Home Decor Company
 
Enhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting ServicesEnhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting Services
Perfect Industrial
 
3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada
Lakshay Gandhi
 
Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
gaurisiddhivinayakte
 
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdfThe best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
tonytkelly6
 
Material Testing Lab Services in Dubai.pptx
Material Testing Lab Services in Dubai.pptxMaterial Testing Lab Services in Dubai.pptx
Material Testing Lab Services in Dubai.pptx
sandeepmetsuae
 
Electrical Testing Lab Services in Dubai.pptx
Electrical Testing Lab Services in Dubai.pptxElectrical Testing Lab Services in Dubai.pptx
Electrical Testing Lab Services in Dubai.pptx
sandeepmetsuae
 
DOJO Training room | Training DOJO PPT
DOJO Training room | Training DOJO PPTDOJO Training room | Training DOJO PPT
DOJO Training room | Training DOJO PPT
Himanshu
 
Generate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model StrategyGenerate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model Strategy
RNayak3
 
Expert Tips for Pruning Your Plants.pdf.
Expert Tips for Pruning Your Plants.pdf.Expert Tips for Pruning Your Plants.pdf.
Expert Tips for Pruning Your Plants.pdf.
Local Gardeners
 
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptxBiomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
ECOSTAN Biofuel Pvt Ltd
 
How Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdfHow Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdf
KenWaterhouse
 
Electrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdfElectrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdf
sandeepmetsuae
 
Understanding Love Compatibility or Synastry: Why It Matters
Understanding Love Compatibility or Synastry: Why It MattersUnderstanding Love Compatibility or Synastry: Why It Matters
Understanding Love Compatibility or Synastry: Why It Matters
AstroForYou
 
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
Alexa Bale
 
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should KnowThe Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 

Recently uploaded (20)

antivirus and security software | basics
antivirus and security software | basicsantivirus and security software | basics
antivirus and security software | basics
 
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
How Do Love Spells Really Work? The Secret to Get Your Ex Back Fast, Powerful...
 
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptxTop Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
Top Challenges Faced by High-Risk Merchants and How to Overcome Them.pptx
 
Solar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In OneSolar powered Security Camera- Sun In One
Solar powered Security Camera- Sun In One
 
Exceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in MelbourneExceptional Landscape Architecture Services in Melbourne
Exceptional Landscape Architecture Services in Melbourne
 
Enhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting ServicesEnhance Your Home with Professional Painting Services
Enhance Your Home with Professional Painting Services
 
3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada3 Examples of new capital gains taxes in Canada
3 Examples of new capital gains taxes in Canada
 
Siddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TXSiddhivinayak temple timings Houston, TX
Siddhivinayak temple timings Houston, TX
 
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdfThe best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
The best Social Media Spy Apps for Catching Your Unfaithful Wife.pdf
 
Material Testing Lab Services in Dubai.pptx
Material Testing Lab Services in Dubai.pptxMaterial Testing Lab Services in Dubai.pptx
Material Testing Lab Services in Dubai.pptx
 
Electrical Testing Lab Services in Dubai.pptx
Electrical Testing Lab Services in Dubai.pptxElectrical Testing Lab Services in Dubai.pptx
Electrical Testing Lab Services in Dubai.pptx
 
DOJO Training room | Training DOJO PPT
DOJO Training room | Training DOJO PPTDOJO Training room | Training DOJO PPT
DOJO Training room | Training DOJO PPT
 
Generate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model StrategyGenerate Revenue with Contact Center Business Model Strategy
Generate Revenue with Contact Center Business Model Strategy
 
Expert Tips for Pruning Your Plants.pdf.
Expert Tips for Pruning Your Plants.pdf.Expert Tips for Pruning Your Plants.pdf.
Expert Tips for Pruning Your Plants.pdf.
 
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptxBiomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
Biomass Briquettes A Sustainable Solution for Energy and Waste Management..pptx
 
How Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdfHow Live-In Care Benefits Chronic Disease Management.pdf
How Live-In Care Benefits Chronic Disease Management.pdf
 
Electrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdfElectrical Testing Lab Services in Dubai.pdf
Electrical Testing Lab Services in Dubai.pdf
 
Understanding Love Compatibility or Synastry: Why It Matters
Understanding Love Compatibility or Synastry: Why It MattersUnderstanding Love Compatibility or Synastry: Why It Matters
Understanding Love Compatibility or Synastry: Why It Matters
 
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
How Long Does Vinyl Siding Last and What Impacts Its Life Expectancy?
 
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should KnowThe Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
The Fraud Examiner’s Report – What the Certified Fraud Examiner Should Know
 

we45 - Web Application Security Testing Case Study

  • 1.
  • 2. we45‘s Web Application Security Solutions Web Application Vulnerability Assessment and Penetration Testing Secure Software Development Lifecycle Implementation and Consulting Application Security - Code Review and Walkthroughs Web - Product Security Consulting and Design
  • 3. Web App Security Testing - Case Study One of the largest Messaging Gateways in the APAC region engaged with we45 Performed Web Security Tests for over 5 years with other providers, but not sure about results Complex Application with multiple interfaces including Web Services Engaged to perform Comprehensive Web Security Penetration Test
  • 4. Key Objectives Perform Comprehensive Security Test of Messaging Gateway Platform Identify key risks to User Information Perform detailed security analysis of Web Services - Revenue Effect Provide comprehensive reports detailing recommendations
  • 6. Application Overview and Threat Modeling we45’s Security Experts identified the application’s key functionality through an Overview process. Identified Key Potential Risks to the application through using Security Risk Assessment we45’s Methodology - Created by CTO Abhay Bhargav, detailed in his book Secure Java for Web Application Development Derivative of the world-class OCTAVE and NIST Risk Assessment Methodologies - Focused on Web Apps
  • 7. Application Security Risk Assessment & Threat Modeling - 2 Application Security Threat Modeling - Critical in identifying potential attack scenarios Identified Trust Boundaries for the in-scope Web Apps Extremely useful for Code Reviews, Security Testing and Application Security Documentation we45’s Security Experts perform Threat Modeling based on Microsoft’s renowned STRIDE Methodology
  • 8. we45 Web Application Security Testing Hybrid Methodology - Automated and Manual Web Application Security Testing for target application Apart from commercial and open source assessment tools, we45’s Security Experts developed special scripts and tools to identify Security Flaws Security Flaws assessed - OWASP Top 10, WASC Security Flaws, SANS Top 25, CERT-US Secure Coding Guidelines Security Flaws for Web Services - evaluated in detail.
  • 10. A Few Key Findings.... Deep-seated Injection Flaws in several sections of the application Utilized specialized Injection attacks to gain access to backend database Enumerated users and hashed passwords, including admin and DB users Utilized Password cracking techniques to crack password hashes Web Services Flaws Unauthenticated Access to critical web services Lack of Authorization checks and controls Deep-seated issues identified with the REST Interfaces
  • 11. Review & Presentation Findings presented to Developers, Project Managers and CTO Findings were explained in detail by we45’s Security Experts Findings were prioritized and agreements on remediation were reached
  • 12. Analysis & Reporting we45 prepared a detailed Security Risk Assessment and Code Review Report Report was ranked by severity of findings. Findings were referenced with Industry metrics like CWE, CVE and so on. Examples were provided as code- snippets with line number information Multiple Recommendations and Remediation Strategies were provided Executive Summary and Action Plan prepared for Management Action
  • 13. Results & View into the Future Results: With we45’s support, client was able to remediate all the security flaws with the application Enhanced Security through implementation of a Secure Software Development Lifecycle. The Client was awarded by their industry peers for Security Practices and Security Initiatives The Future: we45 is the trusted Application Security Partner for this client we45 also provides detailed product security consulting for the client’s products
  • 14. we45‘s Web Application Security Solutions Web Application Vulnerability Assessment and Penetration Testing Secure Software Development Lifecycle Implementation and Consulting Application Security - Code Review and Walkthroughs Web - Product Security Consulting and Design