Software Assessment

Home » What we do » Application Security » Software Assessment

To mitigate threats and decrease the risk of a successfully attempted attack there are differents methodologies, each one indipendent and complementary to another, that allow to analyse and highlight the vulnerability of a software even before its release and distribution.

The adoption of these practises and the consequent integration in the validation processes of the software may happen in different phases of the development cycle:

\

Software Requirements collection

\

Architectural planning

\

Implementation during the code writing

\

Application Implementation in testing environments

In the first two phases is possible to intervene exclusively on new project and anyway, without an appropriate process aimed at the adoption of a safe development cycle fo the software it will be difficult to define the requirements or to plan an architecture in the best way possible from a security point of view. For this reason, it is necessary to intervene anyway through other ways to evaluate the software security in the next phases.

Approaches and methodologies helping us are:

\

SAST (Static Application Security Testing): source code analysis of an application

\

DAST (Dynamic Application Security Testing): automated test on a running application to locate eventual well-known vulnerabilities

SAST

Static Application Security Testing is a security assessment methodology based on the analysis of the source code of an application useful to locate possible vulnerabilities before the software release.

Many vulnerabilities are common and dangerous, like the SQL Injection, passwords or cryptographic keys sculpted in the code, configuration errors of hosting or frameworks. These can be located through the code revision process (code review). This process can be carried out completely manually or automatically.

The commonly utilised approach is based on the adoption of automatic tools that analyse the source code and signal the portions of the code that can bring vulnerabilities; a manual revision of the outcome is anyway necessary to locate eventual false positives.

DAST

Dynamic Application Security Testing is the assessment methodology that verifies the security of a running application. The dynamic analysis of an application supports the customer in testing the security level and strength of the software by simulating attacks aimed at tracking down vulnerabilities and compromising the application functioning.

In web applications, especially with the advent of Web API, there has been a peak of security problems related to authentication, authorization and illegitimate cross-time calls , easily identifiable by automated tools capable of simulating possible calls that even a low-level attacker could make.

These tests are also useful to test some configuration settings like the strenght of SSl protocol, the cypher suite supported by the server and eventual information on the web server, as well as the sofware version used to make the app work.

Wish for more information? Don’t hesitate and get in touch with us with no obligation

Contact us