Today, many companies have the branches across the countries and multiple places in the country. This make the companies to expose there application to Internet. While the applications are exposed to Internet there is great chance for intruders or unauthorized users to make sever damage to the application. In certain cases this may cost huge financial losses. Since Application security is becoming very important for the client facing applications, VnVTestLab provides the security testing service.
QAExcellence Ensures Application under test is free from any venerability which can be exploited by attacker.
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed. Password policies need to be strong enough to make sure the user does not loose his password by a simple guess. For highly secure transaction multi factor authentication need to be implemented.
Ensure application is using secure session management practices that ensure that authenticated users
have a robust and cryptographically secure association with their session.
Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare a ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.
ensure Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS (Cross Site Scripting) , SQL Injection.
Ensure Output encoding is applied to the system which is the primary method of preventing XSS (Cross Site Scripting) and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.
Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.
Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.
Ensure that admin pages are segregated from user page. Appropriate and adequate access controls must be utilized to prevent users from gaining access to admin pages. Ensure that necessary audit trails are saved for all the administrative transactions.
Detailed exceptions and stack traces should never be displayed to the user. Instead a generic error page should be displayed for all the application error scenarios. All exceptions must be logged and examined later on. The application must always fale safe from all the error scenarios. By this attacker may not be aware of the deployment or development environment to make use of flaws which are in built in the development or deployment environment for attack.
Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.
To avoid Cross site Request Forgery attacks All the actions other than the request to display content on the page need to be enforced for post method. Post method is more difficult for Request Forgery.
<QA Services> <Performance
Testing>
"We were struggling as a business to meet our goals. After working with your team, we saw not only an instant boost in our morale, but also a boost in our sales."
Please feel free to use our Contact Us
page to email us as well.
Somnathnagar Society
Ahmedabad, Gujarat - 380052
Copyright | QAExcellence 2013