HomepageServices › Auditing network applications and WWW

Auditing network applications and WWW

We offer auditing and confirmation of the security of your applications which are available to your customers.
Comprehensive auditing of network applications includes among other things:
  1. Entity authentication
    The audit of methods of access control to specified resources of applications only for authenticated users. This analysis checks whether resources of the application are protected with access mechanisms.

  2. Authorization
    The audit of methods limiting access to resources and functions of the application for selected, authorized users. This audit checks whether the access to resources and functions of the application are limited to a specified mechanism of authorization control, protecting from improper use.

  3. Session management
    Validation and security of the mechanism of session management in the application.

  4. Verification of entrance parameters
    This audit checks whether the application properly handles entrance parameters of the user.

  5. Code injection
    The part related with the validation of entrance parameters. This audit checks whether using errors of parameter validation, "injection" of foreign code to the application is possible.

  6. Logging in and service errors
    This audit checks the manner in which the application handles situations of the appearance of errors.

  7. File system
    The arrangement of the file system lies more on the server side of applications, and not own applications, however, errors in the settings of the file system, often in connection with human error, can in some situations enable use of the error of the application.

  8. Administrative interface
    This audit aims to show whether the application possesses the administrative interface and whether access to it is properly protected.
  9. Configuration
    This audit tests the verification mechanisms of the configuration and the storage of application settings (including passwords and personal data of customers).

Expected results:
  • properly chosen password policy
  • secure mechanisms of authorization
  • resisting all attempts of "forced" logging in
  • certainty of the proper manner of storing passwords
  • assurance of access to administrative elements only for authorized users
  • security of algorithm used for generating session tokens
  • forbidding any manner of interception of the session
  • assurance of the correct audit trace of the application
  • properly assured access to improper resources (backups, old files, temporary files)
  • assurance of transmission security for customers