Web application security is the science of securing web and mobile applications from potential security threats that can cause wide variety of breaches, frauds and application downtime.
The information science of preventing internet and web-services based portals and applications from such security loopholes in called web application security.
There are various kinds of threats to web applications and these can exist at various levels. To name a few, we have:
Besides this, any web application, no matter how secure always faces the threat of spammers and bots which can send large amounts of unsolicited traffic to a site thereby causing huge downtime.
Web and mobile applications have become highly interactive. Besides just reading static data, we add and update a lot of content on the web. We maintain our social identities and interact with friends and family. We store our personal information on various sites. We query various databases, do financial transactions and even make payments on the web. This all is very convenient but we must know that if the underlying web or mobile application is not secure, then we run into many risks. Web application security helps protect us from the following negative consequences:
Hackers and spammers can also release bots and all sorts of malware on our sites which can cause our applications to go down, hog all network and cpu cycles and prevent real users from accessing the site.
The two major security standards are as follows:
At Atlogys we help build secure mobile and web applications. Our tech leads, software developers, QA (software quality assurance) testers and system administrators are inherently trained and brain washed to keep security in mind when designing, coding, testing and deploying software. Security runs in our core architecture designing philosophies, and we maintain a checklist of core security related guidelines and tests which must pass in all our software.
Architect -> Code -> Deploy (RELEASE MGMT.)
With these techniques, we can prevent all of the threats as mentioned above.
If your application is facing security problems and is running into security loopholes or threats, then we can also help by providing a top down approach to monitoring, controlling, securing, and optimizing the application. We will use our highly-accurate and advanced testing capabilities to do the following:
We support web security in all aspects of development of a web application like core design, core application logic, backed and database, web services, network layers, launch hardware and deployment. Whatever the technology JSON (such as JQuery), REST, AJAX, Flash, HTML5, CSS, XML-RPC, SOAP etc. used in web application design with PHP, PYTHON, JAVA, .NET, RUBY etc., we ensure web applications security in complete application workflows.
a. Selection of technologies
b. Low Level Database structure and setup – To name a few and to cite some examples, we test for the following:
c. Core architecture and Policies – We set guidelines and how-to’s for various policies which eventually form the core backbones of security. The decisions taken with regards to these policies are very crucial. To name a few, security gets affected by how you code and account for the following:
d. Coding Guidelines and Best Practices – Getting into low level code and doing code review is a must. The following are typical security loopholes we detect in underlying code: dead stores, memory leaks, null pointer deref, ncorrect pointer values, illegal array indices, bad function arguments, type mismatches, uninitialized variables, string expansion errors, option insertion errors, sql injection, CSRF, XSS etc.
e. Deployment and Cloud Computing – At Atlogys we focus on detail so that we may avoid errors in setup, configuration and linking of your network with various servers and databases, firewalls etc. To name a few and to cite some examples, we test for the following:
f. Release Management Cycle – Plan, develop and release frequently and with each release run security tests. Iterative testing and fixing is preferred over testing at project completion at the very end.
At Atlogys, we use various tools to identify security pitfalls. No single tool is enough or complete by itself. We adopt a hybrid approach where-in we adopt a mix of many tools listed below to do a 100% security analysis on an application.
At Atlogys we follow the OWasp Top 10 which describes in detail some of the most common attacks on web based applications. We also keep in regular update with the Web Hacking Incident Database so we know which tools to avoid using. We also follow the latest open source best practices document on web application security.
This is all in addition to latest security on the web guidelines released by Microsoft and Google.
Information security professionals and hackers alike often use social science for manipulation. They can inadvertently convince and gain confidence of end users into providing certain key pieces of information which is then used to initiate security threats. This is most obvious reason for leaks but also the most neglected.
Do you store passwords in files on your computers? Do you use common data like name, date of birth, city of birth, favourite pet’s name etc. for your pin and passwords. It is a habitual aspect which must be fixed.
Techniques like tailgating, bailing, pretexting are common means of social engineering that cause security breaches.
Phishing where you send an email or make a phone call that appears to be legitimate – the user clicks on a link in an email which looks real and ends up submitting all information to the attacker.
At Atlogys, we avoid such hidden issues by ensuring that:
Security is not a one time check. Post deployment of your application, you must run it through a battery of web application security tests at regular intervals.
If you site undergoes continuous releases and feature enhancements or bug fixes, it is important to follow the security test runs with each deployment.
At Atlogys we provide an EED (engineering eye for detail) service wherein we will audit and assess your application for security pitfalls at regular intervals and code in the necessary fixes.