APPLICATION SECURITY ASSESSMENT
98% of web applications have at least one risk, and the average application has 22.4 vulnerabilities. And because you’re the one responsible for the security of your applications, every vulnerability counts. If you’re searching around at forward-looking recommendations to propel your application security to infinity and, well, beyond, Jumbo-SCS Security can help.
Our team is highly collaborative and dedicated to integrating into your development process without hiccups. We know how to work with development teams—because we are developers. Want us to coordinate with a vendor or end client? No problem. As your AppSec partner, we can even provide feedback and guidance on the effectiveness of your security program. Several of our clients delegate large portions of their application portfolio for us to manage and coordinate.
The goal is to use our refined process and methodologies to provide specific findings that are relevant and important to the business. We attempt to identify the root cause of an issue—providing tactical and strategic guidance. Since humans beings perform our assessments, we are both highly accurate and context relevant to the business. We wont inflate a finding or generate lots of noise that is difficult to quantify. We want to provide exactly the right information to know what to do, if anything should be done at all.
A) THREAT MODELING
If you’re wondering, “What assets do I have?” or “Who are potential attackers?” then threat modeling is a great place to start. Our verification efforts begin with an effort to understand the threat agents, architectural components, trust boundaries, critical business assets, and connections of an application and its environment. Doing so let’s us assess architecture risks and business risks together so you can see how they impact one another.
B) SECURITY ARCHITECTURE REVIEW
When you find yourself wondering at night if your design and architecture sufficiently defends against cyber threats, give us a call. A security architecture review will help put your mind at ease. Experienced consultants will work with your team to assess your unique threat landscape and the effectiveness of your planned or implemented security controls, providing you with tailored guidance to improve your security posture.
C) SECURITY CODE REVIEW
You’ve got hundreds, thousands, or millions of lines of code in your web applications. How confident are you that security controls have been implemented correctly? Have your developers been trained on the latest best practices of developing secure code? Has anyone reviewed the code before going into production? What about legacy code? Having former developers as security experts gives us a leg-up on your situation. Our consultants know what they are doing, and know what to look for. They have an attacker mentality and a defender mindset.
D) PENETRATION TESTING
Our resident white hatters are some of the brightest around. Our penetration testing service will give you confidence whether the controls you’ve put into place actually work the way they are supposed to. Penetration testing will identify exploitable vulnerabilities and test your environmental security controls, like web application firewalls.
THREAT MODELLING
START THE PROCESS
Using threat modeling techniques, Jumbo-SCS can help you capture critical information and create a prioritized plan for your assessment efforts. Threat Modeling begins with an effort to quickly understand the threat agents, architectural components, trust boundaries, critical business assets, and connections of your application and its environment. This helps prioritize the most important areas to focus on during the assessment.
The initial threat model is established during the kickoff call, and is based on available documentation and conversations with representatives from the business, security, architecture, and development teams. As the assessment proceeds, and as our team performs testing and code review, the threat model is updated and refined as needed.
Jumbo-SCS informally develops a threat model for every application we review to assist with our assessment efforts. Jumbo-SCS also provides formal application security threat modeling for its clients. We can develop threat models for your critical applications and teach your staff how to develop them. As part of any educational effort related to threat modeling, we provide standard templates and best practices for developing threat models based on common application security architectures, so you aren’t developing your threat models from scratch, providing immediate value and long-term practicality.
SECURE ARCHITECTURE REVIEW
BUILDING CONSENSUS
Facilitating the design and validation of your application security architecture starts by bringing teams together. When you’ve established security priorities and choices, implementation and follow through become easier. That’s why we work with your team to identify and assess business risks and controls.
Our consultants have applicable experience in a variety of industries, including high finance, defense, banking, and health-care. Jumbo-SCS consultants bring functional knowledge regarding what has worked, what hasn’t, and how your enterprise can avoid common pitfalls others have made.
MODELING YOUR THREAT LANDSCAPE
Security Control Analysis
To ensure an application is secure, you have to understand the threat model. Our threat modeling approach provides unparalleled insight into security risks that could harm your enterprise. Our experienced consultants develop your unique threat landscape in consultation with your team, and then work with your team to identify planned or existing security controls into the software architecture. We can assess the architecture of a system in the design stage, or one that has already been built, to make sure all the proper security controls exist in the right places.
Because we deliver simple, clear documentation of the application security architecture, all project participants understand how security is supposed to work. Based on the security architecture, we can produce a tailored set of application security requirements and coding guidelines for your project. This allows effecting the most change with the smallest footprint into your enterprise, making both practical and financial sense.
SECURE CODE REVIEW
MANUAL CODE REVIEW
Many vulnerabilities cannot be discovered without looking at the code, and for many other vulnerabilities, a manual code review is simply more efficient than scanning or testing. Manual code review is the only way that several key security controls can be verified including access control, encryption, data protection, logging, and back-end system communications and usage.
Manual code review is also very useful in identifying the attack surface of an application and tracing how data flows through an application from its sources to its sinks. Manual code review helps Jumbo-SCS understand the actual security architecture as implemented, so that we can isolate architectural vulnerabilities.
STATIC ANALYSIS
Jumbo-SCS advocates the use of code review as a part of our application assessment approach. Our use of code review makes our assessments more comprehensive and more accurate than any other approach. The use of code review also makes reviews more cost-effective.
Jumbo-SCS uses vulnerability scanning tools, both commercial and proprietary, as a part of our application assessment process. Vulnerability scanning is one part of our hybrid approach to application assessment. Combined with code review and security testing, our approach is more cost-effective and accurate than any other approach. We tailor scanning tools in order to get a high-quality scan, and then carefully diagnose, consolidate, and verify all of the automatically generated data.
Vulnerability scanning tools explore applications and use databases of signatures to attempt to identify weaknesses. These tools can be leveraged to find instances of XSS, CSRF, SQL Injection, unprotected directories, open ports, etc. Once the tools have been trained to understand the security controls in an application, they can be used to verify many more advanced security areas as well.
THE JUMBO-SCS SECURITY EDGE
We verify millions of lines of code every month across a wide range of platforms and frameworks, and have fine-tuned our process to be efficient and effective. We’ve had experience verifying the security of the code for complex enterprise applications in industries from high finance, banking, and insurance to retail, defense, and aerospace. We have deep experience with virtually all modern software environments and frameworks, including Java, .NET, C/C++, ASP, ColdFusion, Oracle, Struts, Spring, Ajax, RIA, and many more. Even if you didn’t develop the code yourself, we are happy to work with your software provider.
MANUAL PENETRATION TESTING
Security penetration testing is a key technique for verifying the security of applications. Combining manual testing with manual code review makes our hybrid application verification approach more comprehensive and more accurate than any other method.
Jumbo-SCS performs manual penetration testing on complex enterprise applications for both large and small enterprises. Our specialty is applications with complex architectures and security features. Over many years, we have tuned our process to be efficient and effective.
Manual penetration testing is uniquely effective at demonstrating the exploitability of a vulnerability. Manual penetration testing is also frequently the only way that environmental security controls, such as web application firewalls, URL-based access control mechanisms, and centralized authentication gateways can be tested. If code is not available, then creative penetration testing is the only way to generate assurance.
THE JUMBO-SCS SECURITY EDGE
We verify critical applications across a wide range of platforms and frameworks, and have fine-tuned our process to be efficient and effective. We’ve had experience verifying the security for complex enterprise applications in industries ranging from high finance, banking, and insurance to retail, defense, and aerospace. We have deep experience with virtually all modern software environments & frameworks and cutting-edge attack techniques.