Abstract image of a woman sitting on books and studying on a laptop

we45 - Web Application Security Testing Case Study

Download as PDF, PPTX
W
we45

we45 performed a comprehensive security test of a large messaging gateway's platform over 5 years. They identified deep injection flaws and unauthorized access to web services. we45 presented detailed findings, which were remediated. The client now has an enhanced security program with we45 as a long-term security partner.

Services
1 of 15
Download as PDF, PPTX
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
we45 - Web Application Security Testing Case Study
we45‘s Web Application Security Solutions Web Application Vulnerability Assessment and Penetration Testing Secure Software Development Lifecycle Implementation and Consulting Application Security - Code Review and Walkthroughs Web - Product Security Consulting and Design
Web App Security Testing - Case Study One of the largest Messaging Gateways in the APAC region engaged with we45 Performed Web Security Tests for over 5 years with other providers, but not sure about results Complex Application with multiple interfaces including Web Services Engaged to perform Comprehensive Web Security Penetration Test
Key Objectives Perform Comprehensive Security Test of Messaging Gateway Platform Identify key risks to User Information Perform detailed security analysis of Web Services - Revenue Effect Provide comprehensive reports detailing recommendations
The we45 Approach
Application Overview and Threat Modeling we45’s Security Experts identified the application’s key functionality through an Overview process. Identified Key Potential Risks to the application through using Security Risk Assessment we45’s Methodology - Created by CTO Abhay Bhargav, detailed in his book Secure Java for Web Application Development Derivative of the world-class OCTAVE and NIST Risk Assessment Methodologies - Focused on Web Apps
Application Security Risk Assessment & Threat Modeling - 2 Application Security Threat Modeling - Critical in identifying potential attack scenarios Identified Trust Boundaries for the in-scope Web Apps Extremely useful for Code Reviews, Security Testing and Application Security Documentation we45’s Security Experts perform Threat Modeling based on Microsoft’s renowned STRIDE Methodology
we45 Web Application Security Testing Hybrid Methodology - Automated and Manual Web Application Security Testing for target application Apart from commercial and open source assessment tools, we45’s Security Experts developed special scripts and tools to identify Security Flaws Security Flaws assessed - OWASP Top 10, WASC Security Flaws, SANS Top 25, CERT-US Secure Coding Guidelines Security Flaws for Web Services - evaluated in detail.
Security Testing Methodology
A Few Key Findings.... Deep-seated Injection Flaws in several sections of the application Utilized specialized Injection attacks to gain access to backend database Enumerated users and hashed passwords, including admin and DB users Utilized Password cracking techniques to crack password hashes Web Services Flaws Unauthenticated Access to critical web services Lack of Authorization checks and controls Deep-seated issues identified with the REST Interfaces
Review & Presentation Findings presented to Developers, Project Managers and CTO Findings were explained in detail by we45’s Security Experts Findings were prioritized and agreements on remediation were reached
Analysis & Reporting we45 prepared a detailed Security Risk Assessment and Code Review Report Report was ranked by severity of findings. Findings were referenced with Industry metrics like CWE, CVE and so on. Examples were provided as code- snippets with line number information Multiple Recommendations and Remediation Strategies were provided Executive Summary and Action Plan prepared for Management Action
Results & View into the Future Results: With we45’s support, client was able to remediate all the security flaws with the application Enhanced Security through implementation of a Secure Software Development Lifecycle. The Client was awarded by their industry peers for Security Practices and Security Initiatives The Future: we45 is the trusted Application Security Partner for this client we45 also provides detailed product security consulting for the client’s products
we45‘s Web Application Security Solutions Web Application Vulnerability Assessment and Penetration Testing Secure Software Development Lifecycle Implementation and Consulting Application Security - Code Review and Walkthroughs Web - Product Security Consulting and Design
we45 - Web Application Security Testing Case Study

More Related Content

PPTX
Security Testing
Qualitest
 
PPTX
Security testing
Rihab Chebbah
 
PDF
Testing Web Application Security
Ted Husted
 
PDF
Web Application Security Testing Tools
Eric Lai
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PPS
Security testing
Tabăra de Testare
 
PDF
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
PPTX
Security Testing for Web Application
Precise Testing Solution
 
Security Testing
Qualitest
 
Security testing
Rihab Chebbah
 
Testing Web Application Security
Ted Husted
 
Web Application Security Testing Tools
Eric Lai
 
Security testing fundamentals
Cygnet Infotech
 
Security testing
Tabăra de Testare
 
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Security Testing for Web Application
Precise Testing Solution
 

What's hot (19)

PDF
The Complete Web Application Security Testing Checklist
Cigital
 
PDF
Introduction to Security Testing
vodQA
 
PPTX
Penetration Testing
RomSoft SRL
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
PPT
Security Testing
Kiran Kumar
 
PPT
Get Ready for Web Application Security Testing
Alan Kan
 
PPTX
OTG - Practical Hands on VAPT
shiriskumar
 
PDF
Security testing presentation
Confiz
 
PDF
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
PDF
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
PDF
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
PPTX
Security Testing Training With Examples
Alwin Thayyil
 
PPTX
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
PDF
Security testing-What can we do - Trinh Minh Hien
Ho Chi Minh City Software Testing Club
 
PPTX
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PPTX
Web Application Security 101
Jannis Kirschner
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
PPTX
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
The Complete Web Application Security Testing Checklist
Cigital
 
Introduction to Security Testing
vodQA
 
Penetration Testing
RomSoft SRL
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Security Testing
Kiran Kumar
 
Get Ready for Web Application Security Testing
Alan Kan
 
OTG - Practical Hands on VAPT
shiriskumar
 
Security testing presentation
Confiz
 
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Security Testing Training With Examples
Alwin Thayyil
 
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Security testing-What can we do - Trinh Minh Hien
Ho Chi Minh City Software Testing Club
 
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
Web Application Security 101
Jannis Kirschner
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Ad

Viewers also liked (7)

PPTX
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
PPTX
Security testing ?
Maikel Ninaber
 
PDF
Software Project Management: Testing Document
Minhas Kamal
 
PDF
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
Stephan Kaps
 
PDF
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 
PPSX
8 Access Control
Alfred Ouyang
 
DOCX
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Security testing ?
Maikel Ninaber
 
Software Project Management: Testing Document
Minhas Kamal
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
Stephan Kaps
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 
8 Access Control
Alfred Ouyang
 
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 
Ad

Similar to we45 - Web Application Security Testing Case Study (20)

PDF
Security Code Review Case Study - we45
we45
 
PPTX
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
ByteCode pentest report example
Ihor Uzhvenko
 
PPTX
Integrating security into the application development process
Jerod Brennen
 
PPT
香港六合彩
baoyin
 
PPTX
How to develop an AppSec culture in your project
99X Technology
 
PPTX
Building an AppSec Culture
Nirosh Jayaratnam
 
PPTX
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
PPT
六合彩香港-六合彩
baoyin
 
PDF
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
DefCamp
 
PDF
OWASP-Web-Security-testing-4.2
ICTperspectives
 
PDF
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Minded Security
 
PPT
Software Security Engineering
Marco Morana
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
PDF
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
PDF
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
QA or the Highway
 
PDF
Review Paper ( Research Articles )
SaadSaif6
 
PPTX
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
RootedCON
 
PPT
Web Application Security Testing
Marco Morana
 
Security Code Review Case Study - we45
we45
 
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
Application Security - Your Success Depends on it
WSO2
 
ByteCode pentest report example
Ihor Uzhvenko
 
Integrating security into the application development process
Jerod Brennen
 
香港六合彩
baoyin
 
How to develop an AppSec culture in your project
99X Technology
 
Building an AppSec Culture
Nirosh Jayaratnam
 
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
六合彩香港-六合彩
baoyin
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
DefCamp
 
OWASP-Web-Security-testing-4.2
ICTperspectives
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Minded Security
 
Software Security Engineering
Marco Morana
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
QA or the Highway
 
Review Paper ( Research Articles )
SaadSaif6
 
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
RootedCON
 
Web Application Security Testing
Marco Morana
 

Recently uploaded (20)

PDF
Testing of Tank and Tight boundaries.pdf
SagarRath6
 
PPTX
Best_SEO_Service_in_India_Explained.pptx
swaticlicks2grow
 
PDF
IETM for beginners - A Quick Guide to IETM - Code and Pixels
Code and Pixels Interactive Technology Pvt.Ltd
 
PPTX
Importance of Tech Related Skills, programming and others
ekdonvimofx
 
PPTX
Top Ten Brokers in 2025—Angel Sky’s Expert Guide.pptx
kirankaur20inbox
 
PPTX
Precision HVAC Duct Shop Drawing Services
Silicon EC UK LTD
 
PDF
Kutumbh-HRCare-Benefits-of-Working-with-Staffing-Agencies-for-ITI-Helper-Bulk...
Kutumbh HRCare
 
PDF
Green & ESG Bookkeeping Accounting in the UK 2025 | Why It Matters
huseinccntnts
 
PPTX
A presentation of important quizzing session in IIT kgp
nirmalyaiima
 
PDF
Lovely Foundation – NGO for Poverty in Mohali
Lovely Foundation
 
PDF
Why IT Infrastructure Management Is Crucial for Business Success?
VRS Technologies
 
PDF
How to Select the Best Facility Management Services in Dehradun.pdf
oneserviceprovider01
 
PDF
Landscaping Design Installation Services
American Lawn Care & Irrigation
 
PDF
KESHAV
sumitvijay275
 
PDF
TOP PLACES TO VISIT IN HIMACHAL PRADESH.pdf
Bir Billing Paragliding
 
PPTX
2022-09-17 Town Hall Meeting Presentation.pptx
engrfaruquekhan007
 
PDF
Warehouse Storage Solutions: Key Benefits
L&M Distribution and Logistics
 
PDF
How AI Is Simplifying Science Education Via Practical Learning.pdf
SoluLab1231
 
PDF
Advisory Bookkeeping Services in the UK: A Complete Guide for 2025
huseinccntnts
 
PDF
Virtual Remote Monitoring in Singapore.pdf
ecomme9
 
Testing of Tank and Tight boundaries.pdf
SagarRath6
 
Best_SEO_Service_in_India_Explained.pptx
swaticlicks2grow
 
IETM for beginners - A Quick Guide to IETM - Code and Pixels
Code and Pixels Interactive Technology Pvt.Ltd
 
Importance of Tech Related Skills, programming and others
ekdonvimofx
 
Top Ten Brokers in 2025—Angel Sky’s Expert Guide.pptx
kirankaur20inbox
 
Precision HVAC Duct Shop Drawing Services
Silicon EC UK LTD
 
Kutumbh-HRCare-Benefits-of-Working-with-Staffing-Agencies-for-ITI-Helper-Bulk...
Kutumbh HRCare
 
Green & ESG Bookkeeping Accounting in the UK 2025 | Why It Matters
huseinccntnts
 
A presentation of important quizzing session in IIT kgp
nirmalyaiima
 
Lovely Foundation – NGO for Poverty in Mohali
Lovely Foundation
 
Why IT Infrastructure Management Is Crucial for Business Success?
VRS Technologies
 
How to Select the Best Facility Management Services in Dehradun.pdf
oneserviceprovider01
 
Landscaping Design Installation Services
American Lawn Care & Irrigation
 
KESHAV
sumitvijay275
 
TOP PLACES TO VISIT IN HIMACHAL PRADESH.pdf
Bir Billing Paragliding
 
2022-09-17 Town Hall Meeting Presentation.pptx
engrfaruquekhan007
 
Warehouse Storage Solutions: Key Benefits
L&M Distribution and Logistics
 
How AI Is Simplifying Science Education Via Practical Learning.pdf
SoluLab1231
 
Advisory Bookkeeping Services in the UK: A Complete Guide for 2025
huseinccntnts
 
Virtual Remote Monitoring in Singapore.pdf
ecomme9
 

we45 - Web Application Security Testing Case Study

  • 2. we45‘s Web Application Security Solutions Web Application Vulnerability Assessment and Penetration Testing Secure Software Development Lifecycle Implementation and Consulting Application Security - Code Review and Walkthroughs Web - Product Security Consulting and Design
  • 3. Web App Security Testing - Case Study One of the largest Messaging Gateways in the APAC region engaged with we45 Performed Web Security Tests for over 5 years with other providers, but not sure about results Complex Application with multiple interfaces including Web Services Engaged to perform Comprehensive Web Security Penetration Test
  • 4. Key Objectives Perform Comprehensive Security Test of Messaging Gateway Platform Identify key risks to User Information Perform detailed security analysis of Web Services - Revenue Effect Provide comprehensive reports detailing recommendations
  • 6. Application Overview and Threat Modeling we45’s Security Experts identified the application’s key functionality through an Overview process. Identified Key Potential Risks to the application through using Security Risk Assessment we45’s Methodology - Created by CTO Abhay Bhargav, detailed in his book Secure Java for Web Application Development Derivative of the world-class OCTAVE and NIST Risk Assessment Methodologies - Focused on Web Apps
  • 7. Application Security Risk Assessment & Threat Modeling - 2 Application Security Threat Modeling - Critical in identifying potential attack scenarios Identified Trust Boundaries for the in-scope Web Apps Extremely useful for Code Reviews, Security Testing and Application Security Documentation we45’s Security Experts perform Threat Modeling based on Microsoft’s renowned STRIDE Methodology
  • 8. we45 Web Application Security Testing Hybrid Methodology - Automated and Manual Web Application Security Testing for target application Apart from commercial and open source assessment tools, we45’s Security Experts developed special scripts and tools to identify Security Flaws Security Flaws assessed - OWASP Top 10, WASC Security Flaws, SANS Top 25, CERT-US Secure Coding Guidelines Security Flaws for Web Services - evaluated in detail.
  • 10. A Few Key Findings.... Deep-seated Injection Flaws in several sections of the application Utilized specialized Injection attacks to gain access to backend database Enumerated users and hashed passwords, including admin and DB users Utilized Password cracking techniques to crack password hashes Web Services Flaws Unauthenticated Access to critical web services Lack of Authorization checks and controls Deep-seated issues identified with the REST Interfaces
  • 11. Review & Presentation Findings presented to Developers, Project Managers and CTO Findings were explained in detail by we45’s Security Experts Findings were prioritized and agreements on remediation were reached
  • 12. Analysis & Reporting we45 prepared a detailed Security Risk Assessment and Code Review Report Report was ranked by severity of findings. Findings were referenced with Industry metrics like CWE, CVE and so on. Examples were provided as code- snippets with line number information Multiple Recommendations and Remediation Strategies were provided Executive Summary and Action Plan prepared for Management Action
  • 13. Results & View into the Future Results: With we45’s support, client was able to remediate all the security flaws with the application Enhanced Security through implementation of a Secure Software Development Lifecycle. The Client was awarded by their industry peers for Security Practices and Security Initiatives The Future: we45 is the trusted Application Security Partner for this client we45 also provides detailed product security consulting for the client’s products
  • 14. we45‘s Web Application Security Solutions Web Application Vulnerability Assessment and Penetration Testing Secure Software Development Lifecycle Implementation and Consulting Application Security - Code Review and Walkthroughs Web - Product Security Consulting and Design