we45 - Web Application Security Testing Case Study

2. we45‘s Web Application Security Solutions
Web Application Vulnerability
Assessment and Penetration
Testing
Secure Software Development
Lifecycle Implementation and
Consulting
Application Security - Code
Review and Walkthroughs
Web - Product Security Consulting
and Design

3. Web App Security Testing - Case Study
One of the largest Messaging
Gateways in the APAC region
engaged with we45
Performed Web Security Tests for
over 5 years with other providers,
but not sure about results
Complex Application with multiple
interfaces including Web Services
Engaged to perform Comprehensive
Web Security Penetration Test

4. Key Objectives
Perform Comprehensive Security
Test of Messaging Gateway
Platform
Identify key risks to User
Information
Perform detailed security analysis
of Web Services - Revenue Effect
Provide comprehensive reports
detailing recommendations

5. The we45 Approach

6. Application Overview and Threat Modeling
we45’s Security Experts identified the
application’s key functionality through
an Overview process.
Identified Key Potential Risks to the
application through using Security
Risk Assessment
we45’s Methodology - Created by
CTO Abhay Bhargav, detailed in his
book Secure Java for Web
Application Development
Derivative of the world-class OCTAVE
and NIST Risk Assessment
Methodologies - Focused on Web
Apps

7. Application Security Risk Assessment &
Threat Modeling - 2
Application Security Threat
Modeling - Critical in identifying
potential attack scenarios
Identified Trust Boundaries for the
in-scope Web Apps
Extremely useful for Code Reviews,
Security Testing and Application
Security Documentation
we45’s Security Experts perform
Threat Modeling based on
Microsoft’s renowned STRIDE
Methodology

8. we45 Web Application Security Testing
Hybrid Methodology - Automated and Manual Web Application
Security Testing for target application
Apart from commercial and open source assessment tools, we45’s
Security Experts developed special scripts and tools to identify Security
Flaws
Security Flaws assessed - OWASP Top 10, WASC Security Flaws, SANS
Top 25, CERT-US Secure Coding Guidelines
Security Flaws for Web Services - evaluated in detail.

9. Security Testing Methodology

10. A Few Key Findings....
Deep-seated Injection Flaws in several sections of the application
Utilized specialized Injection attacks to gain access to backend database
Enumerated users and hashed passwords, including admin and DB users
Utilized Password cracking techniques to crack password hashes
Web Services Flaws
Unauthenticated Access to critical web services
Lack of Authorization checks and controls
Deep-seated issues identified with the REST Interfaces

11. Review & Presentation
Findings presented to
Developers, Project Managers
and CTO
Findings were explained in
detail by we45’s Security
Experts
Findings were prioritized and
agreements on remediation
were reached

12. Analysis & Reporting
we45 prepared a detailed Security Risk
Assessment and Code Review Report
Report was ranked by severity of
findings.
Findings were referenced with Industry
metrics like CWE, CVE and so on.
Examples were provided as code-
snippets with line number information
Multiple Recommendations and
Remediation Strategies were provided
Executive Summary and Action Plan
prepared for Management Action

13. Results & View into the Future
Results:
With we45’s support, client was able to
remediate all the security flaws with the
application
Enhanced Security through implementation of
a Secure Software Development Lifecycle.
The Client was awarded by their industry
peers for Security Practices and Security
Initiatives
The Future:
we45 is the trusted Application Security
Partner for this client
we45 also provides detailed product security
consulting for the client’s products

14. we45‘s Web Application Security Solutions
Web Application Vulnerability
Assessment and Penetration
Testing
Secure Software Development
Lifecycle Implementation and
Consulting
Application Security - Code
Review and Walkthroughs
Web - Product Security Consulting
and Design