Application-related security threats represent an ever-growing and increasingly significant concern for organizations. NetSPI's unique approach to application security uses multiple automated software tools combined with extensive manual testing by expert consultants. Our service offering is the most comprehensive on the market and covers the most common threat vectors by reviewing application security from multiple perspectives.
We consolidate and analyze the data collected from testing using our CorrelatedVM™ Testing and Reporting Engine, and we then formulate recommendations for mitigating the identified security issues. NetSPI's reports provide actionable recommendations for improving your security posture and complying with relevant standards.
Application Code Review
Certain types of vulnerabilities are most effectively identified through static code analysis. NetSPI's Code Review service is the basic mechanism for validating the design and implementation of security for an application through examination of its source code. While an application assessment looks at an application from the outside in, the Code Review looks at an application from the inside out. NetSPI's Code Review service leverages market-leading code scanners and manual code review by expert consultants. As part of this process, NetSPI provides actionable recommendations for improving your application's security by identifying areas of the code that are vulnerable and providing recommendations for fixing each issue.
Application Threat Modeling
NetSPI looks at a piece of software to define a set of attacks that could be made against it. Having a threat model enables us to assess the probability, the potential harm, and the priority of attacks, and how those attacks can be parried or minimized. Threat modeling is an integral part of the SDLC (Software Development Life Cycle) process.
We also review your information-related processes and controls for possible security issues. Using information on your competitive position, critical processes, and business needs, we create a unique business risk matrix for your company. Once we identify the risks, we create a long-term strategy for your security and success.
Database Configuration Review
Insecurely configured database environments can expose an organization to critical data security threats. NetSPI's Database Configuration Review service identifies known weaknesses within the database account settings, server configurations, and SQL configuration that may allow unauthorized access to the data. We combine market-leading database auditing tools with expert consultants to maximize the value of this service and provide the client with a comprehensive understanding of their database security posture and actionable recommendations for improving security.
With the increased use of mobile devices and applications in corporate environments comes increased exposure to threats. Mobile applications are commonly used to store and transmit sensitive data across corporate networks. As a result, the direct impact of a compromise becomes even greater, because mobile devices can be leveraged to gain access to data and other internal network resources. Using manual methods, NetSPI's approach to Mobile Application Penetration Testing includes testing security controls in four core areas - file system, memory, network communications, and graphical user interface (GUI). The testing can be conducted on a live device or via emulator software. This allows the testing to be flexible enough to accommodate specific project constraints and requirements. Currently, NetSPI can perform Mobile Application Penetration Tests of IOS, Android, Blackberry OS, and Window 7 Phone based applications.
Thick Client Assessment
Thick client applications are subject to certain unique threats. NetSPI's approach to Thick Client Assessments includes review of server-side controls, data communication paths, and potential client related issues. NetSPI reviews data communications, file, registry, memory, and the actual application forms on the client for potential denial of service (DOS) vectors and sensitive information disclosures; we also decompile code if possible and attempt to bypass authentication controls. By reviewing all of these attack vectors, we are able to provide you with a comprehensive understanding of the security posture of your thick client application.
Web Application Assessment
Organizations that rely on enterprise web applications to support critical business functions are exposed to an ever-increasing number of Internet-borne threats. NetSPI's comprehensive web application assessment identifies common and newly discovered security vulnerabilities by reviewing your application for the OWASP Top 10 web application vulnerabilities and other newly discovered attack vectors. Unlike strictly tool-based approaches to application assessment, we use market-leading application scanners combined with manually executed penetration testing techniques, effectively identifying true vulnerabilities and ruling out false positives. NetSPI's approach includes gaining a thorough understanding of the application architecture and business logic to ensure better results in identifying vulnerabilities.