Application Security Testing
Checking Your Applications’ Security Controls
With the evolution of technology making perimeter access devices more secure and the rise in the sophistication of e-business-focused attacks, the security focus has shifted to the next battlefront—applications.
Application security involves checking an application's security controls, not the operating system or device that hosts the application. The security review is directly related to the applications that have been custom developed or built on top of other commercial applications. Application security testing does not involve looking at hosting software like web servers but focuses on the application software itself. For example, for an application developed using .NET running on a Windows 2022 Server operating system, the focus of the application security testing would be the .NET application, and Windows 2022 would not be tested.
This specialized form of penetration testing utilizes automated and manual testing strategies designed to assess the development efforts of web-based applications. Assessments can be executed using black-box methodologies from an attacker’s point of view or white-box strategies by reviewing source code and developing threat models. Lares® believes that white-box source-assisted testing provides the most value to our clients, as there are a lot of vulnerabilities that are more easily discovered with the source code.
Web Applications
Attackers have turned to application vulnerabilities to find a way into companies. Lares goes beyond the automated scans to manually dig into web applications, finding the deep and more severe flaws that a scanner never finds, such as privilege escalation, logic flaws, and encryption implementation issues. This process is also known as Dynamic Application Security Testing (DAST). Lares further provides our clients with added value through white box testing. We do this through source-assisted testing, as there are a lot of vulnerabilities that are more easily discovered with the source code.
Mobile Applications
Lares dives deep into primarily iOS and Android applications analyzing local storage, transport security between the application and the web service, local database use, and the application runtime environment, including hooking the application to bypass protections. This process is also known as Dynamic Application Security Testing (DAST). Lares further provides our clients with added value through white box testing. We do this through source-assisted testing, as there are a lot of vulnerabilities that are more easily discovered with the source code.
Code Review
Lares scours through the application's source code and runs static code analyzers to identify weaknesses in the code. This process is also known as Static Application Security Testing (SAST). An intelligent approach is taken by focusing on security-critical features, such as authentication, authorization, and encryption, and moving outward from there. Lares also eliminates false positives, the biggest problem with automated scanners, by validating that a vulnerability is present.
Architecture and Configuration Review
By reviewing the design, architecture, and configuration of applications early on in the process, many classes of vulnerabilities can be eliminated before they reach the production environment. Lares can help with the design process of applications and ensure that the environments that they’ll be deployed into are implemented in a secure fashion. This is achieved by reviewing the proposed architecture and design for an application and comparing that against security best practices.
Cloud Applications
As companies turn to the cloud to look for cost savings, they must be aware of the risk and exposure this can cause. Use of the cloud is not inherently dangerous, but due care must be taken to ensure that the service is implemented and configured correctly using security best practices, much like any on-premise system. Lares is familiar with most of the popular cloud services available on the market, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Lares can help companies to ensure that these environments are configured correctly to protect their user’s data from attackers.
Embedded Devices
Embedded systems, such as ATMs, Point-of-Sale (POS) systems, and other similar systems, often run scaled-down, customized, or proprietary Operating Systems. A breach of these systems can have serious implications to the company and their customers. Testing these systems requires a particularly special set of skills to look at the system as a whole, from both the hardware, network, and application layer. Lares is well versed in performing these types of assessments with our team of specialists.
Internet of Things (IoT)
Internet of Things (IOT) devices are the latest hotness for both consumers and corporate users. Whether it’s the latest personal robot or “smart” appliance in the home or a connected audio system for the office, they provide a lot of value and efficiency to their users, but these also provide additional attack surface and complexity to the network and provide just one more way that an attacker could gain a foothold in an organization. Testing these systems requires a particularly special set of skills to look at the system as a whole, from both the hardware, network, and application layer. Lares is well versed in performing these types of assessments with our team of specialists.
Product Security Reviews
Product security reviews are a perfect developmental security step for all manufacturers. This comprehensive review of products will incorporate all levels of the OSI Stack (Application, Presentation, Session, Transport, Network, Data Link, Physical). Lares security specialists are equipped to review advanced end-to-end products from custom hardware through the applications presented to the consumer. This approach looks at a system as a whole rather than only individual components. This review can be used to enhance and fortify the product line as well as be used as a competitive advantage.
DevSecOps and SDLC
There is a principle that as a bug gets much more expensive to fix the closer it gets to production. Based on this principle, it is advantageous to identify and remediate vulnerabilities early in the development process. Lares works with the development and operations team to identify security gaps in the Secure Software Development Lifecycle and helps the development team integrate security into this process to eliminate bugs as early as possible.
Critical Infrastructure
Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems help run our critical systems all over the world. From nuclear power plants to the power grid, these systems play a crucial role in keeping life running as we know it. These systems are typically very old and fragile, making for a volatile combination. The Lares testing team is experienced in how to effectively test these types of systems with care to prevent them from going offline.
Reverse Engineering
On rare occasions, it is necessary to decompile opaque binaries, whether they are malware or closed-source applications that are no longer supported. Lares has the expertise to tear an application apart and analyze it at a very low-level to discover its functionality and true intentions. Where possible, Lares can even modify and recompile these applications to bypass functionality or add additional functionality.
Application Team Staffing
Lares can help design, build, execute, and staff application security teams from the ground up. With the current shortage of highly experienced talent in the information security space, the Lares team offers access to its extensive network of highly trained application security experts. Our deep roots in the security community allow immediate access to high-profile talent with the ability to operate in staff augmentation, hybrid, and consultative modes. Each candidate provided will pass a stringent background check and thorough technical review. Each employee will be held to the same stringent standards as all Lares’s engineers to ensure our staffing is equal to or exceeds the best of industry providers.
Lares Top 10 Penetration Test Findings For 2019
Delighted Customers
"They wanted to see us succeed as much as we wanted to see us succeed. This is why, 10 years later, we are still having this conversation."
CASE STUDY: Word & Brown
Using a culture of security as a baseline, Word & Brown achieved compliance because of its security journey — not in spite of it.
BLOG: Web Application Testing The Lares Way
The blog post summarizes some of the key points from the first extracted session of the inaugural Lares Customer Summit that took place on Wednesday, December 2nd, 2020. We hope you enjoy the excerpted highlights of Zach Grace and Rick Tortorella session on web application security testing at Lares.
WEBINAR: Web Application Testing the Lares Way
Join Zach Grace and Rick Tortorella as they describe how the Lares Application Security team scopes and conducts application security engagements. This previously recorded webinar was part of the 2020 Lares Customer Summit.
Continuous
Defensive
Improvement
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.
14 Years
In business
600+
Customers worldwide
4,500+
Engagements