Security Testing Services

Security testing aims at verifying 3 basic principles:

  • Confidentiality – protecting sensitive information from  unauthorized users
  • Integrity – protecting information from being tampered
  • Availability – providing access to information when needed

Security test case that is not designed around security triad i.e. CIA is not a valid security test.

What we do

Security experts at AFour Technologies employ Static Application Security Techniques (SAST) and Dynamic Application Security Testing (DAST) techniques to discover potential threats that can be targeted by malicious users.

Security testing covers the entire ecosystem of network, host, application and data and a comprehensive security report with severity ratings is provided.

Security Development Lifecycle Process Design

Threat Modeling

Threat modeling is a structured approach to identify, evaluate and mitigate the risks to the system.
Uses STRIDE security development model.

Security Testing Considerations

Data

Integrity – Tampering

Sniffing

Input validation

Encryption – Data in Transit

Authentication

Authorization

Encryption – Data at Rest

Repudiation

Host

Simulating packet flooding on target for DOS attacks

Security patches

File entitlements

IP tables

Unnecessary user accounts

Vulnerability scan

Availability

Security misconfigurations

System auditing & event logging

Viruses, Trojans, Worms

Network

Port scanning

IPS attacks

Packet sniffing

DoS attacks

IP spoofing

Traffic anomaly detection

Routing tables

DNS attacks

Eavesdropping

Application

OWASP Top 10

SAST analysis – Static code analysis

DAST analysis – Dynamic security testing

Denial of Services

Buffer overflow

Cryptography – Cipher, Key length

File corruption

Certificate Forgery

Third party vulnerabilities

Application service accounts

Fuzz testing – service crash

Application logs

Cookie Manipulation

Vulnerabilities in application

Cross site scripting

SQL injections

Session hijacking

REST API authentication

URL manipulation

HTTP header manipulation

Elevation of privilege

Tampering

Heartbleed, POODLE, FREAK

Application configurations

Authentication & Authorization

User / Role Based Access Control

Two Factor Authentication

Repudiation

File system access

DB access, Multi tenancy

User audit activity

Password policies

Cloud Infrastructure Security

VPC

IAM

Applications grouped in Security Zones to restrict connections

Prevent root logins

Restrict DB access further from few hosts

Add redundancy of application servers for high availability

Provide temporary sudo privileges to few users

Lock down ports

Security groups – allow access to applications from pvt network or bastion hosts. Not from internet.

Host hardening

Leverage AMIs for regular security patch management

Backup data regularly to mitigate disasters

Repudiation

OWASP TOP 10

Security Tools

Threat Modelling – MS TMT 2016

Static Code Analysis – PMD, Findbugs, Checkstyle

Vulnerability Scanner – Arachni, Nikto, Nessus

Packet Sniffing & Replay – TCPDUMP, Nmap, Tshark, Wireshark

Penetration Testing – Metasploit, OpenVas, ZAP, Kali Linux

REST API – Postman, SOAPUI

Web Application Security – Burpsuite, SQLMap, SQLInjectMe, XSSME, TamperData, commix, Nmap, Zenmap, Hydra, Fiddler, Watobo, SSLScan

Encryption & Cipher Test – GnuGPG, Bitlocker, Openssl, AES Online, md5sum