Application Security

Checking Your Applications’ Security Controls

Lares Business Application Security Control (image)With the evolution of technology making perimeter access devices more secure and the rise in the sophistication of e-business focused attacks, the security focus has shifted to the next battlefront—applications.

Application security involves checking the security controls of an application, not the operating system or device that hosts the application. The security review is directly related to the applications that have been custom developed or built on top of other commercial applications. Application security testing does not involve looking at hosting software such as the web servers, but rather focuses on the application software itself. For example, for an application developed using Active Server Pages (ASP), using a Microsoft Internet Information Server (IIS) running on a Windows 2000 operating system, the focus of the application security testing would be the ASP application, and neither IIS nor Windows 2000 would be tested.

This specialized form of penetration testing utilizes automated and manual testing strategies designed to assess the development efforts of web-based applications. Assessments can be executed using black-box methodologies from an attacker’s point of view or white-box strategies by reviewing source code and developing threat models. Lares® believes that white-box source-assisted testing provides the most value to our clients, as there a lot of vulnerabilities that are more easily discovered with the source code.

Web

It seems like everything is either a web application or has some backend web service these days. As most organizations have a pretty mature external network perimeter, attackers have turned to application vulnerabilities to find a way into companies. Lares goes beyond the automated scans to manually dig into web applications, finding the deep and more severe flaws that a scanner will never find, such as privilege escalation, logic flaws, and encryption implementation issues. This process is also known as Dynamic Application Security Testing (DAST). Lares goes even further to provide our clients with added value through whitebox testing. We do this through source-assisted testing, as there a lot of vulnerabilities that are more easily discovered with the source code.

Mobile

Many companies have mobile applications to provide extra value and convenience to their clients. However, this also adds extra attack surface to those companies. Lares dives deep into primarily iOS and Android applications analyzing local storage, transport security between the application and the web service, local database use, and the application runtime environment, including hooking the application to bypass protections. This process is also known as Dynamic Application Security Testing (DAST).  Lares goes even further to provide our clients with added value through whitebox testing. We do this through source-assisted testing, as there a lot of vulnerabilities that are more easily discovered with the source code.

Code Review

There are classes of vulnerabilities, such as hard-coded credentials and encryption implementation flaws, that are nearly impossible to discover through dynamic testing, especially on a time-boxed assessment. Additionally, once a vulnerability is discovered, the source can be searched to find where else in the code this flaw has been introduced due to code reuse. Lares will scour through the source code of the application in addition to running static code analyzers to identify weaknesses in the code. This process is also known as Static Application Security Testing (SAST). An intelligent approach is taken by first focusing on security critical features, such as authentication, authorization, and encryption, and moving outward from there. Lares will also eliminate false positives, which are the biggest problem with automated scanners, by validating that a vulnerability is actually present.

Architecture and Configuration Review

By reviewing the design, architecture, and configuration of applications early on in the process, many classes of vulnerabilities can be eliminated before they reach the production environment. Lares can help with the design process of applications and ensure that the environments that they’ll be deployed into are implemented in a secure fashion. This is achieved by reviewing the proposed architecture and design for an application and comparing that against security best practices.

Cloud

As companies turn to the cloud to look for cost savings, they must be aware of the risk and exposure this can cause. Use of the cloud is not inherently dangerous, but due care must be taken to ensure that the service is implemented and configured correctly using security best practices, much like any on-premise system. Lares is familiar with most of the popular cloud services available on the market, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Lares can help companies to ensure that these environments are configured correctly to protect their user’s data from attackers.

Embedded

Embedded systems, such as ATMs, Point-of-Sale (POS) systems, and other similar systems, often run scaled-down, customized, or proprietary Operating Systems. A breach of these systems can have serious implications to the company and their customers. Testing these systems requires a particularly special set of skills to look at the system as a whole, from both the hardware, network, and application layer. Lares is well versed in performing these types of assessments with our team of specialists.

Internet of Things (IoT)

Internet of Things (IOT) devices are the latest hotness for both consumers and corporate users. Whether it’s the latest personal robot or “smart” appliance in the home or a connected audio system for the office, they provide a lot of value and efficiency to their users, but these also provide additional attack surface and complexity to the network and provide just one more way that an attacker could gain a foothold in an organization. Testing these systems requires a particularly special set of skills to look at the system as a whole, from both the hardware, network, and application layer. Lares is well versed in performing these types of assessments with our team of specialists.

Product Security Reviews

Product security reviews are a prefect developmental security step for all manufacturers. This comprehensive review of products will incorporate all levels of the OSI Stack (Application, Presentation, Session, Transport, Network, Data Link, Physical). Lares security specialists are equipped to review advanced end to end products from custom hardware through the applications presented to the consumer. This approach looks at a system as a whole, rather than as only individual components. This review can be used to enhance and fortify the product line as well as be used as a competitive advantage.

DevSecOps and Secure SDLC

There is a principle that as a bug gets much more expensive to fix the closer it gets to production. Based on this principle, it is advantageous to identify and remediate vulnerabilities early in the development process. Lares works with the development and operations team to identify security gaps in the Secure Software Development Lifecycle and helps the development team integrate security into this process to eliminate bugs as early as possible.

ISC/SCADA

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems help run our critical systems all over the world. From nuclear power plants to the power grid, these systems play a crucial role in keeping life running as we know it. These systems are typically very old and fragile, making for a volatile combination. The Lares testing team is experienced in how to effectively test these types of systems with care to prevent them from going offline.

Reverse Engineering & Full Decompile/Recompile Capabilities

On rare occasions, it is necessary to decompile opaque binaries, whether they are malware or closed-source applications that are no longer supported. Lares has the expertise to tear an application apart and analyze it at a very low-level to discover its functionality and true intentions. Where possible, Lares can even modify and recompile these applications to bypass functionality or add additional functionality.

Application Security Staffing

Lares can help design, build, execute, and staff application security teams from the ground up. With the current shortage of highly experienced talent in the information security space, the Lares team offers access to its extensive network of highly trained application security experts. Our deep roots in the security community allow immediate access to high-profile talent with the ability to operate in staff augmentation, hybrid, and consultative modes. Each candidate provided will pass a stringent background check and thorough technical review. Each employee will be held to the same stringent standards as all Lares’s engineers to ensure our staffing is equal to or exceeds the best of industry providers.

Where There is Unity, There is Victory

[Ubi concordia, ibi victoria]

– Publius Syrus

Contact Lares Consulting logo (image)

Continuous defensive improvement through adversarial simulation and collaboration.

©2019 Lares, LLC | All rights reserved.