Application Security
Consulting
Today bringing your
business online is a must in an effective business development strategy. Thus
more and more sensitive data is moving to the web which brings new application
security and information confidentiality challenges.
Complex Approach to Securing
Web Applications
The most secure web
applications are those that are developed initially with security in mind. Colombus specialists follow a holistic approach to
designing, building and supporting secure web applications. We address security
issues on all application tiers (web server, application server and database).
While developing secure web
applications we analyze vulnerability categories and potential threats
(external or internal) depending on application scenario and technologies used.
This enables us to develop an effective security
architecture and take proper countermeasures.
Vulnerabilities and Potential
Threats |
Securing Practices and Countermeasures |
Authentication
Network eavesdropping, Brute force attacks, Dictionary attacks, Cookie
replays, Credentials theft |
-
Partition of public and restricted areas |
Input Validation
Buffer
overflow, cross-site scripting, SQL injection |
- Thorough input
validation |
Authorization
Privilege elevation, confidential information disclosure, data
tampering |
-
Multiple gatekeepers |
Configuration Management
Unauthorized
access to application administration, hacking of configuration data |
- Role-based
administration with strong authentication |
Sensitive Data
Sensitive data discloser, network eavesdropping, data tampering |
-
Role-based access to sensitive data |
The above vulnerabilities
are just a part of a bigger list. Internet, intranet or extranet applications
each has its specific security issues and challenges that need to be analyzed
and addressed.
Securing Applications
through Development Life Cycle
From initial stages of the web
application development cycle Colombus specialists
thoroughly consider security implications. This allows defining potential risks
early and implementing effective countermeasures.
Securing Categories
and Practices |
Development Life Cycle Phase |
Roles Distribution |
Threat Modeling |
Architecture Design |
Architect(R),
Developer(I), Tester(I) |
Security Design Practices |
Architecture Design |
Architect(R), Developer(I) |
Security Architecture |
Architecture Design |
Architect(R) |
Code Development and Review |
Implementation |
Developer(R), Tester(I) |
Technology Related Threats |
Implementation |
Developer(R) |
Security Testing |
Testing and Stabilization |
Tester(R), Architect
(C), Developer (I) |
Deployment Review |
Deployment and Maintenance |
System
Administrator (R), Architect(C), Developer(I), Tester(I) |
Legend: R – Responsible, C
– Consulted, I - Informed