Application Security
IntelliSec Solutions provides Web Application security assessment to examine how security is planned and implemented at all stages of the application’s lifecycle from initiation to deployment and final production.
With backgrounds in technology, banking, defense, and healthcare, our consultants are some of the foremost authorities on cybersecurity. These experts ensure the security of existing applications in the enterprise, as well as assisting the security process in all phases of the development lifecycle.
Application security assessment is the process of examining the effectiveness of the implemented security measures at the technical and organizational level in the application’s lifecycle.
IntelliSec Solutions’ consultants base their assessment on norms and standards in the field of information systems security such as: NIST 800-53, CIS, ASVS of OWASP and ISO/IEC 27000 as well as their expertise and experience. To do so, the evaluation is carried out through interviews, observations and an analysis of the available documentation.
The Application security assessment’s objective is to examine how security is considered and implemented in the following eight domains:
Human resources security management
It englobes all security controls that measure how security is implemented and considered in the Human resources management. Indeed, those controls focus on the security aspects in the hiring process (staff, suppliers, contracts, etc.), defining roles and responsibilities and security awareness and training as well.
Application security lifecycle management
It encompasses security controls that check if security is left shifted in the whole lifecycle of the application: from its initiation, maintenance, development, deployment through decommissioning.
Application architecture, design and risk management
It encompasses security controls that examine if the security is well implemented in the application’s architecture and design. They also pay more focus on the threat modeling and risk management processes.
Application security implementation
It examines deeply if the security measures have been well implemented and deployed in: the access control, sessions management, Input/Output, communication, API, Business logic and cryptography fields.
Application’s data security
It encompasses security controls that verify whether data integrity, availability and confidentiality are maintained throughout the application lifecycle.
Application security verification
It englobes security controls that ensure all aspects of security testing are adopted: application requirements driven testing, static security testing, configuration security assessment, vulnerability assessment, penetration testing, dependency testing, etc.
Application security protection
It encompasses security controls that examine the effectiveness of the protection measures implemented including web application firewalls, data loss prevention, denial of service, malware defense and runtime application self-protection.
Application logging, monitoring, detection and incidents response.
It englobes security controls that ensure whether logging, monitoring, detection and incidents response process and procedures are efficient to detect and respond in time to any attempt that could harm the security of the application and its data
Assessment Methodology
1- Available Documentation Review
The documentation review relies on the analysis of the available documents related to the security of the assessed application such as security policies, strategies, procedures, network architecture, data flows, checklists, etc.
2- Interviews
This phase is mainly based on interviews with security responsible and employees involved in the security of the assessed application. The interviews constitute a key in this evaluation since they allow not only to collect the necessary information to carry out the security assessment but also they make it possible to confirm whether the existing security procedures are applied and respected by the employees or not.
3- Evaluation of the Existent Security Measures
This phase consists on examining whether the current security measures comply with the well-known security norms and standards as CIS, NIST 800-53, ASVS of OWASP and ISO/IEC 27001.
4- Gaps Analysis and Threat Modeling
Taking into account the criticality of the application as well as the results listed in the previous steps, a gaps analysis is established highlighting the contradictions raised between existent technical procedures and daily operations of operational staff. On the other hand, a threat modeling is also established by listing potential threats that the application could face under the current conditions
5- Assessment reporting
Once the engagement is complete, IntelliSec Solutions delivers a detailed analysis and threat report, including remediation steps. Our consultants set an industry standard for clear and concise reports includes the following:
- Executive Summary
- Strategic Strengths and Weaknesses
- Detailed Findings
- Threat and Gaps Analysis
- Detailed Action Plan