OWASP - Vulnerability Assessment and Mitigation Services
Vulnerability assessment or audit is the process of identifying and quantifying vulnerabilities in a web application or website using scanning and testing methods (e.g. Acunetix). Security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product. The audit should be able to identify and suggest mitigation/reduction/minimization of the business risks. PPIC team is trained in working with the clients who are PCI compliant and we make sure their sites are hardened and attack proof.
The most common vulnerabilities present in web applications are:
- SQL Injection, a code injection technique, where a user would be able to inject code through form fields/URL to retrieve results or compromise security of website.
- LDAP Injection, a code Injection technique through which information directories like Microsoft ADS are compromised.
- Cross-site Scripting(XSS), a vulnerability which allows code injection by malicious web users into the web pages.
- Broken Authentication and Session Management: Application allowing attackers to compromise passwords, keys, or session tokens, or to exploit implementation flaws
- Security Mis-configuration: Secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform etc.
- Sensitive Data Exposure: Protection of sensitive data, such as credit cards, tax IDs, and authentication credentials deserves extra protection such as encryption/masking when exchanged through browser.
- Phishing: Login verification or other user authentication steps prone to identity/credentials phishing, Account Harvesting etc,
PPIC has vast experience with Vulnerability Audit preparation & Implementation of mitigation plan. We have served Programmers Investment Corp in projects like pyXis, Identity IQ, CITI Bank - Credit Protect, MyFreeScoreNow, Daily Donor, etc.. PPIC has helped the clients in passing the vulnerability testing time and again. The vulnerability assessment service provides detailed internal security issues arising from insecure configurations, weak setting, and policy non-compliance on your IT assets.
PPIC helps in ensuring following:
- Effective User name and password management rules,
- Session management is done in effective way, restricting access to the vulnerable folders and disable directory listing on the web server.
- Effective authentication done before getting secure data. Defined error messages for login management.
- Pages that accept confidential information from users are not allowed to cache information in browsers.
- Account harvesting is avoided by making sure we lock account after n-number of tries.
- SQL-Injection avoided by ensuring effective validation techniques.
- Client side scripting is avoided. Partial masking of sensitive data’s been done.URL manipulation is avoided by passing encrypted data and if any manipulation had been done, ensured the application logs out immediately.