Protect Your Apps
In this age of social sharing and data-driven web applications, enterprises cannot afford to be lax on security. When a malicious attack results in security breach exposing confidential data, your brand reputation takes the hardest hit.
We help enterprises better manage and mitigate security risks to avoid serious business consequences that can result from theft of critical data. Our experience in this niche area tells us that a combination of manual testing and automated analysis can contribute to a comprehensive security audit. To ensure an end-to-end security assessment, we usually recommend a two-fold approach.
Web Application Security
To secure applications, the first step is to understand the threats to which they are exposed. Threat modeling makes it easier for businesses to comprehend the lurking danger and adopt countermeasures.
Another way is to approach the application just as any real-world hacker would. External penetration testing should be performed by trustworthy individuals backed by certifications. Our penetration testers are EC-Council certified ethical hackers trained to identify and access precious digital assets exploiting inherent vulnerabilities in an application.
Application source code review at QBurst combines a number of static code analysis tools such as FindBugs, Sonar, OWASP Orizon, Yasca, Spike with manual code review. We also rely on tools such as Qasat to extract code fragments relating to highly critical features of an application such as payment processing, transaction authentication and session management. With these snippets identified, testers are able to focus on the high risk areas before covering the bulk of the source code, improving their speed and efficiency.
- In line with international standards such as OWASP
- Certified testers and ethical hackers
- Ongoing research and development
- Open source tools developed for audits and security scans
- Active contribution to improve industry practices
We develop tools to make life easier for testers like us.
- HashQ - An application manipulation detector based on hashing algorithms. Built in Java and shell script with a GUI based on lightweight zenity for Linux, HashQ identifies differences between two applications comparing code files. The tool currently supports Android applications and Java binaries.
- Qasat - This is an Android application static analysis tool based on the Android Asset Packaging Tool for Linux. The tool decomposes an Android app into its component files, from which the application details can be understood.
- QScarab - Our pentesters rely on this to work through the thousands of conversations intercepted by the proxy tool Webscarab. QScarab aids them in categorizing requests and responses into different sections for easy analysis.
Security assessment efforts are never complete unless extended beyond the application layer to the server level. Server security testing at QBurst can involve penetration testing, vulnerability assessment, and restricting publicly accessible server variables followed by server hardening measures. Various security audit and intrusion detection systems are used to facilitate the scanning and analysis process.
The aim of a penetration test is to identify server vulnerabilities. This can be performed with the help of different tools which augment the testers’ analysis. To assure clients of the compliance of our security processes with IT industry standards, we base our penetration test tools, assessment strategies and audit checklists on OISSG’s Information Systems Security Assessment Framework (ISSAF). While most penetration testing services end in a final report detailing the exposed vulnerabilities and recommendations for their removal, we take the process to the next level by implementing those corrective steps.
Server hardening can be broken down into application and OS levels.
Hardening at the server application strata constitutes
- setting up web server firewalls and disabling of HTTP trace requests, directory indexing, etc.
- database hardening to protect against common vulnerabilities such as SQL injections.
- disabling certain system level functions and hiding variables that could expose the server to malicious attacks.
At the OS level, measures to secure the server can include
- Advanced Policy Firewall
- Brute Force Detection
- DDos Deflate
- RootKits Scan
- Securing Shared Memory
- Hardening SSH installation
Protecting applications and the data contained within, while making them available to valid users is critical to any business. Our security audit methodology and processes are built on industry standards and international guidelines. We identify the root causes for security flaws, perform hardening to secure the environment and provide a detailed report with recommendations for reasonable and practical steps to mitigate future risks. Contact us for a detailed security audit of your application.