Application Security

Today, millions of applications exist to make our lives easier and much more interesting. We can pay bills, shop online, or communicate with people all over the world. With these benefits and comfort, comes a great threat. In reality, there are always malicious attackers trying to attack the applications and stealing data.

According to market study, a typical 500 million dollars company would have developed approximately 3000 applications. Some minor application used for a seemingly inconsequential task may lead to a massive security breach. Organizations employ thousands of applications to conduct business. The reality is that businesses are building more applications at unprecedented rates. If these applications are not secure, then they are serving as new doors for hackers to enter.

The long-term reputational damage associated with critical security breaches can often lead to intangible costs and possibly loss of business. Company website, for example, is organization's brand, and often it's first contact with customers. If that is not safe and secure, those critical business relationships can be compromised. The threats can come in many forms – infecting an application with malware with an aim to infect the users, getting unauthorized access to sensitive information like customer names, email addresses, credit card and other transaction information and even propriety information and hijacking or crashing the website.

A security breach at a relatively smaller business application may not result in significant security impact, but it may still result in a huge impact on customer's trust when such incidents are known.

An unprotected application is a security risk to customers and other businesses as well.

Based on client needs, business criticality and environment, we offer separate or bundled services for application security.

Secure Software Development Lifecycle (S-SDLC)

We use our own unique methodology combining our years of experience in Software development, securing applications and frameworks like "Seven Touch point Model for Software Security", "Comprehensive Lightweight Application Security Process(CLASP)" to offer a comprehensive service which will ensure security at the development phase of an application, instilling security into its core.

Our experts impart security into the Software development life cycle of your application development programme by:

Enhancing security through a measurable process
Providing guidance on secure software activities
Conducting secure software development reviews
Provisioning the use of automation tools
Integrating these activities with foundational software development activities

Application Security Design Review

The purpose of this service line offering is to analyse the complete technology architecture of a new or existing application. The essential intention is to examine the application, data and network layers associated with the application and ensuring they are adequately secured. One of the primary objectives is to ascertain whether sensitive data stored, transmitted or processed is sufficiently protected. Relevant regulatory requirements like PCI, HIPAA, and GLBA are referenced as applicable.

Web Application Penetration Test

Web application penetration test involves uncovering vulnerabilities in the web application by using same methodology that a cyber-attacker would. False negatives are reduced by techniques like SAST and DAST.

Application is analysed architecturally and a relevant threat model is prepared of possible attacks on the web application. Then an approach is defined based on the criticality is the application and the derived threat model.

Besides globally accepted classes like OWASP Top 10, SANS Top 25 and OSSTMM, our assessments also uncover design level flaws, business logic risks and compound flaws.

Application Code Review

Security code review is a technique used to uncover programming flaws at the development phase in order to mitigate the vulnerabilities from source.

This service consists of two parts:

1. Manual Secure Code Review by a security expert
Manual code review is the strongest way to verify several key security controls like encryption, access control, data protection, logging, and system communication and usage at the back end. Manual code review reveals the actual security architecture as implemented, which helps in isolating and identifying architectural vulnerabilities.

2. Static Analysis using Automated Scanning
For larger volumes of code, the code is scanned using specially designed source code scanners customized to your business needs.

Remediation Support

Security Assessment is not thoroughly effective unless there is a reliable after-assessment process to remediate findings from the security reviews and scans. We provide remediation support as a part of standard services, and extended remediation support as required.

ANZEN combines one or more services as per the need and requirement with the aim to enable our clients to use robust and secure applications with enhanced business throughput.

The ANZEN Advantage

Testing is carried out by application security experts in various application technologies and platforms.
Follows industry best practices and guidelines such as the open web application security project (OWASP), the Web Application Security Consortium (WASC) and open source security testing methodology manual (OSSTMM)
High emphasis on manual verification along with automated tools (open source and commercial) based testing.
Vulnerability correlation facilitates in verification of automated and manually identified vulnerabilities and eliminating false positives.
Our Reporting describes the root cause of the flaw and suggest business/application specific remediation and supports organization in achieving target compliance requirements.