SemanticSpace - Outsourced Product Development | Product Engineering Services

From banking and brokerage to shopping, customers increasingly interact with a firm directly through Web Applications. For years, IT organizations have invested in web application security testing, but Web applications are only part of the story, the reliability of the infrastructure they run on is just as important. Most firms spend far less on Web Application Security testing than they actually should.

SemanticSpace's Web Application Security Assessment (WASA) quickly brings to light weaknesses and points directly to corrective actions needed.

Web Application Security Assessment

SemanticSpace's WASA is a unique process that helps your organization to identify the risks associated with exposure to the Internet. Semantic Space web application security team provides comprehensive testing solutions with appropriate countermeasures to mitigate the risks and helps your application to be less vulnerable and more secure.

Impacts

Technical Vulnerabilities		Business Risks
	URL Manipulation		Personal information modification
	SQL Injection		Pricelist modification
	Cross Site Scripting		User impersonation
	Weak Session Tracking		Unauthorized funds transfer to accounts
	Passwords in Memory		Privilege escalation of use account
	Buffer Overflows		Wrong Transactions
	Configuration Issues		Unauthorized logins
	Web server configuration		Breach of customer trust
	Invalidated Inputs
	Session Hijacking
	Credential management

Offerings and Technologies

Highlights

		Semantic Space follows a combinational risk based approach for security testing i.e. 80% manual testing and 20% automated (tool) testing
		Comprehensive report with snapshots of the results obtained
		Highest security clearance of consultants at all levels
		All solutions follow easy to understand and easy to implement model

Benefits

		Timely and valuable application vulnerability information to assist in developing proactive protection measures
		Protection of business and information assets against hacking and loss of valuable data
		Assistance in increase of customer confidence and trust on the application
		Mitigation of loss of customer's confidential information
		Overcoming legal hassles due to failure of the application security
		Reduced cost of recovery and fixes due to loss of information

Web Application Security Testing > Production

Need:

		Web Application Security testing is used , from a black box perspective, when the tester has limited knowledge of the system under test or when access to source code is not available. Black box testing is normally associated with activities that occur during the pre-deployment test phase (system test) or on a periodic basis after the system has been deployed i.e. in Production
		Web Application Security tests are conducted to identify and resolve potential security vulnerabilities, to periodically identify and resolve security issues within deployed systems. From a business perspective, organizations conduct Web Application security assessments to conform to regulatory requirements, protect confidential and proprietary information, and protect the organization’s brand and reputation

Benefits:

		Test any Application with any technology for security weaknesses for live applications such as a Website ex: www.semanticspace.com
		Provide appropriate recommendations and solutions without looking into source code using "Code Snippets"
		Target Segments: Enterprises, Ecommerce Web Sites, Development Houses and Portals

Web Application Security Testing > Design level

Need:

		Secure web application design is not product-specific and is helpful in securely designing and implementing any Web application, regardless of the platform
		Restrictions imposed by infrastructure security are identified
		The web application security assessment in the design level recognizes and accommodates
		Restrictions imposed by hosting environments (including application isolation requirements) The target environment code-access-security trust level is known, the design identifies the deployment infrastructure requirements and the deployment configuration of the application Domain structures, remote application servers, and database servers are identified, clustering requirements The application configuration maintenance points (such as what needs to be configured and what tools are available for an IDC admin) Secure communication features provided by the platform and the application are known The design identifies the certificate authority (CA) to be used by the site to support SSL
		The design addresses Web farm considerations (including session state management, machine specific encryption keys, Secure Sockets Layer (SSL), certificate deployment issues, and roaming profiles) and addresses the required scalability and performance criteria and so the need for an assessment in this level

Benefits:

		Semantic Space testing team reviews the design of your application as it relates to the target deployment environment
		We consider the constraints imposed by the underlying infrastructure-layer security and the operational practices in use
		We review the security approach that was used for critical areas of your application by focusing on the set of categories that have the most impact on security
		We review the logical layers of your application, and evaluate your security choices within your presentation, business, and data access logic
		We recommend solutions in the entire life cycle as an ongoing effort
		Target segments: Development Houses

Web Application Security Testing > Pre-Deployment

Need:

		It is estimated that it can cost twenty times more to fix a coding problem that is discovered after the product has been released than it would have cost if discovered during the system test phase i.e. during pre-deployment phase
		Considering the personnel and processes required to address a security issue after deployment, help-desk personnel that are required to take trouble calls from the customer; support engineers who are required to confirm and diagnose the problem; developers who are needed to implement code fixes; QA personnel who are called to perform system regression tests; and managers to oversee the entire process, it is prudent to perform application security testing in the pre-deployment phase itself
		Additional expenses are to be considered, such as those associated with patch distribution and the maintenance of multiple concurrently deployed versions
		Additionally, serious post-deployment software vulnerability may result in potential business issues, such as damage to brand or company reputation, and potential legal liability issues
		Application security test tools can be used during the system test phase to identify and address the issues mentioned above, reduce system development costs, and reduce business risks associated with company reputation and liability

Benefits:

		We at Semantic Space identify implementation errors that were not discovered during code reviews, unit tests, or security white box tests
		We discover potential security issues resulting from boundary conditions that were difficult to identify and understand during the design and implementation phases
		We uncover security issues resulting from incorrect product builds (e.g., old or missing modules/files)
		We also detect security issues that arise as a result of interaction with underlying environment (e.g., improper configuration files, unhardened OS and applications)
		Semantic Space tests security weaknesses in applications pre-production (beta) stage
		We provide solutions and recommendations according to the industry known standards – Open Web Application Security Project. www.owasp.org
		Our target Segments: Development Houses

Web Application Security Testing > Code Review

Need:

		Security code reviews focus on identifying insecure coding techniques and vulnerabilities that could lead to security issues
		The cost to repair web application security vulnerability during the early stages of source code program development is about 2% of the cost to repair that same flaw in a production environment. The repair cost does not take into account the potential costs associated with the exploit of security vulnerabilities
		The review goal is to identify as many potential security vulnerabilities as possible before the code is deployed
		Removing a defect after software is operational can cost between two and five times as much as correcting the error within the development and QA process
		If 50 percent of software vulnerabilities were removed prior to production use, enterprise management costs would be reduced by 75 percent each
		Defect correction during code and unit tests can reduce the cost impact by an additional factor of between 3 and 20

Benefits:

		Unlike the surface-style testing in our code review our consultants walk through code line-by-line, looking for flaws that would allow an attacker to take control of your application
		Our approach allows us to take a much more holistic view of your application and identify vulnerabilities and exposure points that would have otherwise been hidden by cursory assessments
		We provide a targeted, cost-effective code review to identify areas in the code that can be improved for greater security
		Test the source code of the mentioned technologies for security flaws and recommend appropriate alternates / remedies to plug in the weaknesses at development stage
		Target Segment : Development Houses (In house / External)
		Our code review helps:
		Greatly reduce false positives identified through alternate testing methods You to reduce development costs Us to understand your software development life cycle maturity