The experience of E-LIGHT company lets to fulfill the security analysis of Web-based applications of any complexity.

Security evaluation of Web-based applications may be performed both using techniques of “black” and “gray” boxes and analyzing the source code. The second way is more effective, but, at the same time, more time-consuming.

During the work the conventional methods of analysis and application security assessment shall be used: OWASP TOP 10, Web Application Security Consortium Thread Classification and Common Vulnerability Scoring System. Analysis of all components of Web-based applications shall be fulfilled: design, networking, operating system settings, external sources of data, storage of information, used mechanisms for authorization and authentication, server and client components.

Procedure of the work:

  1. Determination of the method that should be used for the analysis of WEB applications (“black box”, analysis of the source code, combination of the methods).
  2. Performance of the instrumental tests and manual tests for specific types of vulnerabilities (clipping of false positives and identification of vulnerabilities which cannot be detected by automated means). Basing on the analysis of the detected vulnerabilities characteristics, such as complexity of usage, accessibility of operation methods, eventual losses in case of an attack and etc., there shall be selected those of them which can be used by a real intruder. Then a study of the vulnerabilities shall be conducted to identify the ways of their operation as well as the development of the attack software and the attack itself directly.
  3. All active actions (in mandatory manner) shall be agreed with the customer.

The result of the work shall be given in the report containing:

  • Conclusions for the management department which contain the overall assessment of the level of WEB applications security.
  • The procedure of the test.
  • Information about all detected vulnerabilities.
  • The results of operation of several critical vulnerabilities.
  • Recommendations on elimination of the detected vulnerabilities. Depending on the approach used for the analysis, the recommendations may include examples of the correct code.
  • If necessary, basing on the analysis of the application structure and the detected vulnerabilities, experts shall develop the policy of filtering for the Web Application Firewall, used in the company and other security facilities.