With the migration to cloud computing and web-based services, web applications are necessary and cost-effective tools. However, because they are Internet-facing, web applications increase the public attack surface. This can create the gateway cybercriminals need to access your data, or provide a convenient tool to leverage as part of a malicious campaign.
Sword & Shield Enterprise Security partners with you through our Web Application Assessment service to empower your business to offer and use secure web applications. Our web security experts evaluate your web app vulnerabilities created by flaws in the development, configuration, deployment, upgrade process, maintenance or third party add-ons of the application, and then provide a road map for remediation.
Following the Open Web Application Security Project (OWASP) Application Security Verification Standard, our certified GIAC web application penetration testers (GWAPT) apply their depth and breadth of information security and compliance knowledge to provide you with a detailed security analysis.
Our web application testing covers the entire exposed web app environment, from the server hosting the app to any back-end APIs.
This service includes a penetration test to determine if the protective controls of the target can be bypassed. This can be provided as part of a comprehensive compliance solution for the following:
Sword & Shield offers third-party web application assessments for these types of clients:
Web application developer: Security should be “baked in” to your web application, not bolted on. Sword & Shield works with you during the software development lifecycle to identify and mitigate vulnerabilities prior to going to market.
Web application user: You should always request a certificate of attestation from your web application vendor. If the company cannot provide one, or you desire an objective analysis, Sword & Shield’s web app assessment is the service you need. We test and report on our findings, then work with you to close the vulerability gaps.
Sword & Shield feels our web application assessment report is as valuable as the exercise itself. We use a proprietary platform to comprehensively report identified vulnerabilities, documenting our process and findings to produce a thorough and helpful roadmap for remediation.
Hiring an individual Sword & Shield resource means you get the strength of a team made up of passionate security analysts. The pride we take in the quality of services we deliver supports our customer-first approach, and leads to our high level of customer retention.In addition, as a full-service information security and compliance firm, your web app assessor has access to teams of expert internal resources in areas including HIPAA and PCI, managed security services, forensics, and more.
As a full-service security and compliance firm, Sword & Shield offers a host of related solutions. In addition to the web application assessment, clients may opt for these related services:
Preventing a breach via custom Web Security Testing
While conducting an application assessment for a small insurance company, Sword & Shield analysts discovered a permissions issue within a custom web application. The application allowed anonymous (non-authenticated) Internet hosts to view detailed information about the company’s clients, including date of birth, social security number, and insurance policy details. The application was not properly tracking sessions and session states, which enabled this security loophole.
Based on Sword & Shield’s findings, the insurance company was able to correct the session and session state issues. Sword & Shield’s web security testing helped the insurance company prevent a security breach via their custom web application.
Correcting SQL injection vulnerability to protect patient data
When performing an external web application assessment/penetration test for a hospital, Sword & Shield analysts discovered an error-based SQL injection vulnerability on an insignificant page of the hospital’s main public website. When the SQL injection toolset normally used by the analysts to exploit the vulnerability failed because of character filtering, they modified an existing open-source injection program and created new scripts to overcome the filtering limitations. The vulnerability led to a complete compromise of the underlying shared internal database, which contained personally identifiable information (PII) on hospital workers, sample credit card information, and login authentication information. Using the authentication information, the analysts were able to create new accounts or log into existing accounts on the hospital’s employee web pages from the Internet.
The hospital was in the process of implementing an online store and the SQL injection vulnerability could have led to identity and/or information theft via the Internet. Based on Sword & Shield’s web application security testing, the hospital modified the offending web application code to correct the SQL injection vulnerability—thereby preventing a potential security breach.
Request a Free Consultation for our Security Assessment services.
Sword & Shield provides a wide variety of security assessment related services for our clients. The following list provides an overview of some of the most common services we perform. For more details about these services or other services we perform, contact us today.
Our engineers are experienced in auditing Oracle, Microsoft SQL, Notes, and several other database management system products. Among other things, Sword & Shield security engineers analyze authentication and authorization controls in the database system for least-privilege access controls and audit traceability. Emphasis is placed on matching the degree of security with the business and operational needs.
A Sword & Shield Firewall/Router Audit thoroughly evaluates the rule base for known security risks and policy violations. As a first line of defense against attacks, firewalls and routers must be implemented and maintained properly. Our Firewall/Router Audit provides a detailed analysis that reduces risks and increases perimeter security.
Our Mobile Application Assessment, when combined with our Web Application Assessment, provides a comprehensive assessment of the security of the web application and the mobile devices used to interact with the application. The service analyzes the network transmissions and forensically analyzes the mobile device(s) used.
Sword & Shield performs a sweep of the telephone address space to detect unauthorized modems and authorized but insecure modems. We can perform a phone sweep as a stand-alone service, or as part of another service, such as an external network vulnerability/penetration test.
The Architecture Review and Design process is coordinated through a client project manager and includes a set of structured interviews. These interviews and reviews focus on business areas supported by the network and the technology staff that supports the business units.
This service provides the customer with the analysis necessary to protect all facets of a virtualized infrastructure. Included are areas related to access control, the application of least privilege, data protection, secure network configuration, disaster recovery planning and testing, and threat analysis. The goal of the assessment is to identify security gaps and develop remediation strategies.
The VPN Audit service audits your VPN and your VPN policies and recommends techniques to optimize and enhance your VPN’s effectiveness. We identify potential security vulnerabilities and help you reduce your risks.
Web application security encompasses measures taken throughout the application’s life cycle to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, deployment, upgrade, or maintenance of the application.
Sword & Shield's Wireless Testing examines the subsystems, components and security mechanisms of a wireless network and identifies any weaknesses.