A The Clear Skies Application Assessment provides for a rapid security assessment of the applications vulnerabilities either providing initial validations before systems go live, or utilizing re-occurring testing to ensure the application remains secure. The testing leverages a basic “black-box” methodology to test the overall system for security issues. This initial examination helps identify common application vulnerabilities and logic errors that would not be the focus of normal penetration testing techniques. Additional testing will be done on critical source code components to help identify programming errors that may not be identifiable from external testing.

Service Summary

• Identifies both standard application vulnerabilities as well as as logic errors that can not be found through automated scanning
• In-depth analysis of application risks above and beyond normal Penetration Testing
• Conducted remotely (via the Internet) if the system is live, or within a lab environment to allow for a wider range of testing techniques
• Detailed recommendations to reduce risks
• Business analysis provides executive perspective

Methodology

Clear Skies’ methodology of Application Testing combines extensive technical testing with specialized analysis of findings to present a comprehensive view of the risks associated with each identified vulnerability. An Application Assessment from Clear Skies incorporates extensive technical vulnerability testing utilizing multiple user perspectives, manual logic bypass testing, as well targeted source code review for a comprehensive evaluation of the application’s security controls. Many companies that claim to do Application Assessments only do automated vulnerability scanning using commercial security scanners with no manual analysis. This manual analysis of the application’s execution logic is critical to properly assess the overall security of the application. Regardless of how well the application code is written, if the underlying business logic is flawed, data leakage or access privilege execution may occur. These are conditions that automated scanners simply cannot be programmed to examine.

The Clear Skies Application Assessment will examine the entire application environment using a combination of automated scanners, manual exploitation techniques, and targeted source code review as well as technical testing of the systems and devices that support the application environment. Upon completion of the testing, all identified vulnerabilities are documented with a detailed description of the issues, as well as recommended corrective actions to help eliminate the risks going forward. Each vulnerability’s risk is evaluated from business and technical perspectives, and an overall risk rating is provided.

The end goal of the assessment is to not only find the vulnerabilities, but also to provide an analysis of the application’s data that is at risk. If application or system exploitation is successful, a detailed step-by-step narrative explaining how the exploits actually worked and what data could be compromised is provided. Screen captures are utilized to illustrate and showcase the entire process so that the issues may be re-created, if necessary.