I. BLACK BOX WEB APPLICATION PENETRATION TESTING

1. Web Application Threat

In the working process, web application usually is permitted to access to important resources of system, but developer usually just focus on how to make functions of web application work rather than make application safety enough under attacking by roaming hacker. This doesn’t mean these developer don’t care about security issues but usually, they lack of knowledge about application security. Beside, security issues are often overlooked in the design phase and implementation phase.

Vulnerable web application often is exploited by hacker to take control of web server and database server. Beside, attacker could perform other kind of attacks, such as:

• Deface website
• Injection malicious code into web application
• Steal sensitive information
• Access to restricted area
• …

2. How attacker deploy their attack to web application ?

There have many ways for attacker to exploit your web application. From simple way such as through search engine to find your exposed sensitive resources of your company, to more complicated or hard to detect method such as:

• SQL Injection
• Cross Site Scripting
• Remote Command Execution
• Directory Traversal
• …

3. Why to prevent hacker ‘s attack into web application ?

Consequences of hackers’ successfully exploitation could give them the permission to access to the web server or database server regardless of size or type of company. The damage therefore may include:

• Lost of sensitive data
• Client account is compromised
• The reliability of the customer into the company reduced
• The company’s reputation is reduced
• Lost profit
• …

4. How ITAS help you detect and prevent web application attacks ?

The web application testing packages of ITAS provides a mechanism for early vulnerabilities detection and warning to administrator of the website. From that, the administrator could make plan to repair or replace the vulnerable functions of the website.

We perform scanning client ‘s application periodically. The scanning is done by experienced security professionals and do not affect the normal business activities of the customer.

II. STATIC CODE ANALYSIS TEST

1. What is static code analysis test ?

Static code analysis test is a kind of analysis directly on the source code to find security leaks right from the source code level. Security test in source code helps programmers to detect security flaws from the very beginning phase in the Software Development Life Cycle then help them to fix those flaws soon. The advantage of source code analysis test are: the application will be check very quick and fix vulnerabilities from the very beginning phase in SDLC so the cost to fix will be low. Beside, if the application have many modules, each module can be test independently of each other.

2. Who need to check source code of application

Web Developing Company, Online Payment/Business Company, Information Security Firms,…

3. Tools for static code analysis test

Currently, there are many tools for static code analysis test including open source and commercial as

• FindBugs
• FxCop
• PMD
• RATS
• Flawfinder
• CxSuite
• Prevent
• Insight
(References: http://www.owasp.org/index.php/Source_Code_Analysis_Tools)

4. How ITAS help you for static source code test ?

ITAS is currently a partner company with Checkmarx . We ‘re providing products and service of CxSuite from Checkmarx as well as suppport service for the products. CxSuite is the world leading product about static source code tools and is recommended by OWASP (please view the reference link above).