PROFILING

Web Application Security Whitebox

Essentials

A White Box code review is the most accurate way to find and diagnose many security problems. There are dozens of security problems that simply cannot be found any other way. Additionally, a code review is the only way to verify that security has correctly been implemented. SecureState takes a hybrid approach to the White Box WAS Assessment by combining automated and manual testing. This approach provides a more accurate and comprehensive assessment that is cost effective as well.

White Box code reviews are the most accurate way to find security problems
SecureState’s White Box WAS approach includes combining automated and manual testing
SecureState partners with Veracode which uses static binary analysis technology
Using Veracode, SecureState can assess desktop or “fat client” compiled applications as well
Extreme and High vulnerabilities from Veracode analysis are manually validated by SecureState

Benefits

SecureState partners with and utilizes Veracode static binary analysis technology to initially assess the web application for coding flaws and vulnerabilities. Static analysis looks at applications in a non-runtime environment. This method of security testing has distinct advantages because it can evaluate both web and non-web applications through advanced modeling, as well as possess the ability to detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. By looking at the code in its “final” compiled version, Veracode can evaluate vulnerabilities introduced by linked libraries, APIs, compiler optimizations and third party components which standard source code testing cannot easily identify. In addition, specific instances that may be considered insecure or leave a security flaw within your application are identified and manual verification of found extreme and high vulnerabilities are reviewed by SecureState. Finally, we will provide a comprehensive report detailing where in the application flaws and vulnerabilities exist; as well as how we verified these vulnerabilities to truly exist.

Expertise

SecureState has been partners with Veracode for several years. This relationship has helped provide real value White Box WAS Assessments to our clients. The combination of Veracode’s best in breed technology along with the Web Application Security experts at SecureState provides an unbeatable combination and value for our clients.

Get Scoping Questions Now!

Fill in your details and you can download a FREE questionnaire to ask your vendors.

Your Name

Your Phone

Your Email

Your Company

We will not share or distribute your email to anyone. It will be used solely to contact you about the service you have inquired about.

Did You Know?

A White Box WAS Assessment is the most thorough type of assessment you can complete on your web application
White Box WAS Assessments are an important part of your SDLC
White Box WAS Assessments should be completed before an application is put into production
Veracode is a leader for static analysis in the Gartner Magic Quadrant

Our Approach and Methodology

The SecureState Profiling Team are well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115, OWASP and OSSTMM. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The SecureState Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. Our Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.

Phase I – Pre-engagement Interactions:

In this phase SecureState works with the client to establish the rules of engagement as well as the scope and exchange contact information for both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. The Project Charter is discussed during the kickoff call prior to the beginning of the engagement.

Phase II – Information Gathering:

SecureState determines what programming language the application is coded in and if it is a web application or fat client desktop application. SecureState can assess both types of applications using static binary analysis. To start the static analysis, we require the compiled binaries of the application being testing. If possible, the client should also provide SecureState the source code of the application. Once these two steps are completed, the compiled binaries are uploaded to Veracode via their secure web portal. No source code is ever uploaded to Veracode.

Phase III – Review of Findings:

Once results are returned from Veracode, our Team Members review all findings for false positives and ensures each piece of the application has been through the Vercode process. This also includes all third party libraries and components if they were provided during the Veracode analysis.

Phase IV – Validation:

SecureState manually reviews the findings by validating extreme and high findings either through manual techniques or by reviewing the source code if provided by the client. This phase requires that the client provide SecureState with access to the web application and any necessary credentials. In the case of a fat client desktop application, SecureState only needs the source code to review.

Phase V – Reporting:

SecureState provides a comprehensive report detailing where in the application flaws and vulnerabilities exist (including line numbers and URIs) as well as how we verified that these vulnerabilities truly exist.

As part of the deliverable, SecureState provides a report which contains a short graphical summary aimed at senior management, a narrative body which details major findings, and a detailed findings section aimed at technical staff. SecureState also provides a closing call and high level executive presentation to summarize the penetration test; as well as provide an opportunity to ask questions about the engagement.

What Makes Us Different

Partners with Veracode to provide the best value to our clients
Uses a team based approach for all Web Application Security Assessments
Utilizes proprietary Vulnerability Linkage Theory (VLT) to achieve a greater attack
Demonstrates proprietary tools to Clients during on site Web Application Security Assessments
Publishes our own Exploits, Zero Days and Tools to the Information Security Community
Profiling Team members are known as experts in Web Application Security Assessments worldwide
Contributed significantly to OWASP’s Web Application Testing Guide project
Profiling Team members are frequent speakers at National and world-wide security and hacking conferences such as DEFCON, Black Hat, OWASP AppSec, SANS, ShmooCon, THOTCON, DerbyCon, ToorCon and more
Conducts all external Web Application Security Assessments and code reviews from our state-of-the-art hacking facility in SecureState’s world headquarters; a DOD cleared facility
Provides a secure two-factor authentication web portal for access to Web Application Security Assessment results
Follows industry standard testing methodologies, vulnerability rating systems and uses real attack data collected by SecureState through years of assessments to compare your company to your industry peers from a security perspective

Related Services

Downloads

We Can Help You

Generate New Image

Enter the code from above.