|
What are the advantages of SecurView’s pay-as-you-go model?
The key advantages are: (1) it is a cost-effective way to obtain assessment services, (2) there is no long-term contract, and (3) you can arrange for an assessment test to be done very quickly.
How can your web assessment help if I already have virus protection software, an intrusion detection system or firewall in place?
Even if you have an anti-virus software, IDS or other protection measure in place, your web application can still be compromised by today’s sophisticated attackers - who can exploit insecure software code, incorrectly configured servers, database vulnerabilities and /or browser vulnerabilities.
To protect yourself against these attacks, it is recommended that you test your web applications regularly.
What services are performed in web application security assessment?
A SecurView web application assessment identifies all application-related vulnerabilities as well as web-server-related configurations errors. The assessment includes testing that addresses all 42 attack classes defined by the Web Application Security Consortium (WASC) as well as the Top 10 vulnerability classes listed by the Open Web Application Security Project (OWASP). The SecurView database has over 50,000 tests that provide a comprehensive coverage.
Some examples of the vulnerabilities assessed are:
- Vulnerabilities related to web applications, such as SQL Injections, Cross-site Scripting, Session Handling, HTTP Response Splitting, Stealth Commanding, Application Buffer Overflow, LDAP Injection, XPath injection etc.,
- Vulnerabilities related to the infrastructure underlying the web applications, such as the web application server itself, other server configuration errors, weak password access controls, system patches and other access controls.
What kind of applications does the assessment cover?
The test can cover all web applications accessible via HTTP protocol. Basically, if you can access an application using a browser, then the application can/should be tested. SecurView can test any application that is accessible anywhere over the Internet. For testing applications accessible only from inside your network, we would need a secure VPN or SSH based access.
Some examples of the web applications that require security assessment are:
- Custom-built applications
- E-Commerce portals
- Content management portals
- Public or private websites
- Internal applications such as employee or partner portals
- Billing, finance & banking-related applications
- Customer relationship management applications
- Enterprise systems
What information do I need to provide in order to initiate an assessment?
Since we do a "black box" test, we require very little information about the application itself. You will need to provide the following information, along with your scan request, to ensure a smooth test execution:
- Provide the URL or IP address of the application
- Provide a test window (preferred start and end time) . The customer can keep the window open for uninterrupted testing or provide multiple windows to ensure minimum disruption to the application users
- Provide a temporary user credential (login / password) if you have an authenticated area on your website that you want us to test.
- Provide contact details for a customer point of contact person that will be available throughout the test.
- Provide any special instructions, i.e. connection information if the application needs to be accessed via VPN
Can I schedule my scans whenever I want to?
Yes. You have the power and flexibility to do a test anytime you want to simply by submitting your scan request. You can also choose to run periodic tests -- monthly, quarterly, or semi-annually.
How often should I do this test?
As a best practice, we recommend doing a test once every three months or whenever there is a significant change in your application. To ensure a higher level of security, regular testing even in an unchanged application is important to ensure that you are covered for new vulnerabilities that are discovered since the last test.
How does it help with compliance like PCI/ ISO ?
The final assessment report is formatted and detailed such that it often readily meets PCI and ISO requirements
How long does it take to complete an assessment?
The duration of time necessary to complete an assessment varies. It depends on multiple factors - including the size of the applications, its complexity, its connectivity and others technical factors. It is therefore very difficult to provide an estimated time frame for a previously untested application. However, as a reference point, based on our experience, we have seen that the assessment of a small web application of less than 50 pages typically takes 2-4 hours to complete.
In addition, the customer can provide multiple scan windows for the tests to be conducted. SecurView is able to start the assessment test during one window, pause the test when the window expires, then resume the test again when the next window is available. Once the test commences, the customer will be informed of the status of test through electronic alerts and if necessary, we will contact you directly. All of these options and communication techniques ensure a smooth test experience for both the customer and SecurView.
Will we receive notifications when the test is scheduled?
Yes, you will get email notifications when the test is scheduled and again when the scan is completed.
Can I change my scan window after I have scheduled it?
You can also change your scan window after scheduling it. If the test is already underway, we will pause it until your next scheduled scan window.
What will I get after the assessment test?
You will receive an assessment report within 24 hours of test completion. In the report, SecurView will provide a list of all the security threats found in your application, including details of each threat’s impact, how each could be exploited by an external source, and how to address and fix the threats. We’ll also provide screenshots of potential attacks.
If your assessment indicates no severe threats, you will receive our Security Assessment Certificate. SecurView’s Security Assessment Certificate provides validation to both you and your users that your website is secure.
Do you provide assistance in fixing the vulnerabilities?
Our test report provides detailed remediation recommendations. If you need additional help, we can also provide consulting services to you to develop specific remediation strategies.
Will SecurView’s assessment test also review my web application code?
Our web application security assessment is a pure "black box" test and does not cover application code testing. If you are interested in getting your code reviewed, please contact us for details.
How do you calculate the number of web pages for the test if lot of pages are dynamic web pages?
Lot of rich internet applications are now using AJAX technology and content management systems to provide interactive experience. How is web page count done in such scenario?
AJAX driven applications and CMS (content management systems) are treated the same way as any dynamic application. The size here too is determined by spidering the application and counting dynamic pages by the URL uniqueness.
Sometimes customers forget to consider the size of the content management system while estimating the size of their application. If we find a wide mismatch between customer's package and the actual verified size, we report back and get approval to change the scope.
|
