Navigation

Services: Application Assessment; Code or Design Review; Security Awareness; Threat Analysis
Products: Acunetix WVS; KFSensor Honeypot; MOBILedit! Forensic; Passware; Sawmill Analytics; Sunbelt Software
People: Management
Contact

Latest news

Astyran adds Acunetix WVS to its suite of products(01/12/2008)

Astyran is proud to announce that it is now an official partner and reseller of Acunetix. Stay tuned for an update.

eBanking Fraud and Cyber Security Seminar(06/03/2008)

Mr. Stevens, founder and owner of Astyran, presented his insights in source code reviews at the eBanking Fraud and Cyber Security Seminar of the Monetary Authority of Singapore (MAS).

Owasp/ISSA joint meeting (20/11/2007)

Mr. Frantzen and Herman Stevens delivered a much appreciated and discussed presentation on Application Security Awareness Training for developers at the joint meeting of the Belgian ISSA and OWASP chapters. You can download the presentation here, there (OWASP) and there (ISSA).

Application Security Assessment

Overview

What is an application assessment and how does it benefit me?

Attacks are shifting from the network level to attacks on the application level. The number of high-profile attacks on financial websites is rising. End-user workstations are under continuous attack by sophisticated worms targeted directly at your web solutions. The pressure of regulatory instances is rising.

An application security assessment looks at your application and reports on weaknesses found. Contrary to penetration tests (which Astyran also performs), here the ultimate goal is not to penetrate the application, but to report on vulnerabilities found.

Key Differentiators

What sets us apart?

Our approach is business driven: vulnerabilities are investigated, documented and reported according to the potential damage that may arise if they are exploited.

The focus of our report is on giving guidance on how to improve on the discovered security posture and includes the following content:

An executive summary with score and high-level recommendations. This summary is written for business managers and does not use any technical jargon. It give recommendations on how to tackle the issue (e.g. quick fix possible, temporary fix, complex change, new application) taking into account cost factor and give an indication of what processes (e.g. change management, configuration management, training, …) need to be improved.
Separate summaries for audit, security and IT management.
A description of the scope, scoring method and methodology.
Issues found from high to low rated (for each component), with a description of the issue, the possible impact and the possible remediation steps.

Methodology

Tool assisted, but mind driven

Based on business relevancy

We consider the business threats and risks at the start of a project and make certain that we focus on your attention points. Scoring is based on how critical the application or data handled by the application is for your business.

Standards Compliant

Our methodology is based on the Open Web Application Security Project (OWASP) testing guide for tests on the (web) application level. We use a mixture of automated scans using open source as well as commercial tools, followed by a verification and deeper probing of the application by a highly skilled consultant. This pragmatic and cost-efficient approach is fully compliant with the requirements of international standards, such as:

The Payment Card Industry (PCI) requires periodic automated scans and penetration tests on application and network level as well as source code review for payment applications;
A document (IT Control objectives for SOX) by the Information Systems Audit and Control Association (ISACA) mentions that it can be expected from a SOX compliant company that risk assessments are done on infrastructure and processes;
ISO 17799 details that the capability of service providers must be assessed and that contracts must provide the right to monitor and audit. ISO 17799 further details that compliance checks include penetration tests and vulnerability assessments that may be executed by external experts.
The Health Insurance Portability and Accountability Act (HIPAA) requires that contracts with partners must include that administrative, physical and technical measures are being taken to protect the security of information received.

Types of Application Assessments

Make your Choice: Blackbox, White Box, Crystal Box

There a different types of application security assessments. Make your choice depending on your business objectives and security and audit needs:

Black Box tests: Assumes zero prior knowledge of the system, has no advanced access to any accounts. This results in a view on how far, in a limited time, a malicious user or hacker can go. Note however that this is not a complete view: hackers are not limited by time, while the tester is.
White Box tests: Uses existing or newly created end-user accounts for additional access during testing. This gives an informed view on what an insider (user, consultant, outsourcer personnel) can do.
Crystal Box tests: Performed using an application administrator account to gain full access to the application.

Where applicable tests are executed from three perspectives:

Anonymous User: The test is executed from the perspective of an anonymous user with no or minimal knowledge of the target system. Focus points include the user logon authentication process, session management, as well as attempting to uncover other areas on the target application that may provide remote, unauthenticated, or unauthorized access.
Authenticated User: This test is carried out from the perspective of normal user’s knowledge. Therefore a set of valid user login accounts and passwords are required. The focus is on checking authentication and authorization controls and procedures, roles, and limitations such as time restrictions and potential contamination (assuming the access rights of another user, viewing and modifying data of another user).
Power User: Power users are users that have very specific, powerful access to the application, but they are not users of the application itself (e.g. system administrators, database administrators, operators, software maintainers, etc.) Focus is on access to the system logs, audit trails, configuration files and other possibly sensitive data on the system and potentially dangerous functions such as re-enabling user accounts, steal credentials, or modify evidence. We asses the prevention and detection capabilities of the system for such attacks and how the system audit trails provide evidence of the actions of power users.

Frequently Asked Questions

Don't hesitate to contact us if something is not clear

What is your pricing model?

All assessments are fixed price. You know upfront what it will cost you.

Do you use tools?

Ofcourse we do. Consultants do not scale well and there is a limit at how many attack vectors can be checked in a limited amount of time. Therefore tools are used. The security expert knows how to run those tools, knows the limitations and then fill in the gaps to complete the assessment. You do want the consultant to spent his time at looking for issues that are relevant for your business and that a scanner cannot detect.

Can you give us a list of tools used?

Normally our answer to your request for a proposal will list generic tools used. The final report details the list of tools used for your specific application.

How do you protect our confidentiality?

Security measures regarding communciation, reporting, and data security will be discussed at the kick-off of a proejct. Typically encryption will be used for all communication. Data gathered during an assessemnt will be destroyed one month after the acceptance of the final report. You'll recieve confirmation of this destruction.

Code Review

External pressure for code review? Outsourced development of high risk application? A full code review too expensive? Let us mitigate your development risks by our cost-effective and risk based approach.

Security Awareness

Need a trainer or need help creating your awareness program? We can assist you with all aspects of your awareness initiatives for development teams.

Threat Analysis

The goal of analysing threats is to document all possible threats against an application with the goal of implementing countermeasures at the design level where feasible.

More information here.