Application SecurityLaunch your application or website with confidence with security reviews by experienced developers.
Web Application Security
Web Applications, and their vulnerabilities, have become simple ways for hackers to gain confidential information. Hermetic Networks offers a hybrid approach, combining Web Application Security Testing and Dynamic Application Security Testing to gain a full understanding of both the scope and architecture of the target applications. Automated tools are configured and monitored to test the enabled security controls designed to protect the application’s exposed user interface. Then manual attack techniques are applied to validate the automated results, as well as evaluate the ‘real-world’ impact of discovered vulnerabilities.
We focus on specific areas such as:
- Un-Validated Parameters
- Broken Access Control
- Broken Account and Session Management
- Cross-Site Scripting (and Syntax Injection) Flaws
- Buffer Overflows
- OS Command Injection Flaws
- Error Handling Problems
- Insecure use of Cryptography
- Remote Administration Flaws
- Web and Application Server Misconfiguration
- SQL Injection Flaws
- Database Enumeration Flaws
We then classify each discovered vulnerability using industry standard categories. Categories include OWASP Top 10, Common Weakness Enumeration (CWE), Common Vulnerabilities and Exposures (CVE), and the Sans Top 25.
Custom and Static Code Security Analysis
Hermetic Networks administers White Box Application Tests during a source code review, but these tests can be conducted at multiple points in the development cycle. Again, we use both automated and manual methods in order to provide a comprehensive report. In the automated portion of the assessment, we recreate your current application development environment. We then test the copied environment with automated source code review techniques—such as static code analysis, keyword searching, encryption methods, code-path analysis, and external library loading logic. In this stage, Hermetic Networks also employs commercial, open source, and custom tools to ensure that your company receives the most value from our automated source-code assessment.
Once the automated review is complete, a manual source code review takes place. This is where our application security expertise comes into play. Hermetic Networks uses the manual review to focus on data validation—which means removing false positives and confirming whether exploit paths or vulnerabilities truly exist. We specifically examine the source-code and the applications’ interaction with end users via interfaces, back-end business logic, and application flow. We guarantee diligence and accuracy.