ApplicationTesting

Orenda Security application assessment services are customized to help secure your business-critical applications and ensure compliance with your industry security requirements.

Securing applications is more challenging than ever as the speed of application development continues to accelerate. Cloud technology adoption, agile development practices, devops and new technologies all offer attractive business value, but the speed of change is impacting significantly the ability to adequately secure business-critical applications. A timely security testing strategy comprised of automated and manual testing in the SDLC and in production is essential to mitigate risk, our team can help by developing and executing a custom testing solution to meet your business needs.

Application Penetration
Testing process

Application Penetration testing is a blend of automated and manual technical security assessment approach to identify all the common vulnerabilities indicated by OWASP (Open Web Application Security Project) standard and other leading industry frameworks. The application security assessment covers web applications, web services, mobile application and thick client applications.

Web applications

Our team begin with an assessment of the design of your web application and estimate the likelihood of security issues based on threat modeling analysis. Manual testing is the primary testing method but automated penetration testing is also performed. Orenda Security will focus on attacking, modifying, and hijacking client-server interactions, web services and APIs supported by the applications and can even target data assets used in your backend database systems.
Our dedicated experts will find and attempt to exploit security flaws that could allow privilege escalation, disclosure of sensitive information, injection of malicious code into trusted components, logic flaws, and other conditions generally recognized as posing security vulnerabilities. This approach allows us to identify all existing attack vectors and demonstrate the impact of a real-world attack. Orenda Security classifies vulnerabilities against the latest OWASP Top 10 web application security flaws. Key steps include:

Identification of application vulnerability

Identifying both standard application vulnerabilities as well as business logic errors that cannot be found through automated scanning (both credentialed and non-credentialed testing).

In-depth analysis

In-depth analysis of application risks beyond normal Penetration Testing. Clearly articulating the impact of exploitation of application vulnerabilities identified is essential to an building effective risk mitigation strategy.

Recommendations

We provide detailed recommendations to remediate risks identified, but providing a detailed findings report is not enough. Our collaborative approach is to provide actionable guidance for prompt remediation and yet helping you devise enhanced protection strategies for your applications.

Providing analysis

Business analysis provides executive perspective and recommended strategies for near and long term risk mitigation.

Mobile Applications

Orenda Security’s  mobile application penetration test is comprehensive and begins with reviewing technical design documents, process flows, and the application’s security architecture in order to identify application attack surfaces.

Identified vulnerabilities are mapped to OWASP top 10 mobile application security flaws:

Improper Platform Usage

This flaw includes the misuse of a platform feature or failure to use platform security controls to protect service or API. Attacker may feed malicious inputs or unexpected sequences of events to a vulnerable endpoint.

Insecure Data Storage

Insecure data storage vulnerabilities typically lead to the following business risks for the organization that owns the risk app: Identity Theft, Fraud, Reputation Damage, External Policy Violation (PCI); or Material Loss.

Insecure Communication

This flaw may allow Threat agents to exploit vulnerabilities to intercept sensitive data while it's traveling across a local network, compromised Wi-FI network, Carrier or network devices.

Insecure Authentication

This flaw covers poor or missing authentication schemes that may allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app, leading to the inability to verify a user’s identity.

Insufficient Cryptography

This flaw may result in the unauthorized retrieval of sensitive information from the mobile device leading to privacy violations, information theft or reputational damage.

Insecure Authorization

This flaw may allow for over-privileged execution of remote or local administration functionality, resulting in the destruction of systems or access to sensitive information.

Client Code Quality

This flaw may lead to exploitations resulting in foreign code execution or denial of service on remote server endpoints (and not the mobile device itself). 

Code Tampering

This flaw may lead to exploitations resulting in unauthorized new features, identity theft or fraud.

Reverse Engineering

This flaw may lead to exploitation resulting in reverse engineering to achieve the following: reveal information about back-end servers, reveal cryptographic constants and ciphers, steal intellectual property.

Extraneous Functionality

This flaw may lead to exploitation resulting in exposure of how back-end systems work or unauthorized high-privileged actions executed.

Testimonials

Orenda Security testing of our healthcare technology applications help us provide security assurances to our clients. Their consultants have worked well with our teams on improving secure coding practices and enhancing overall systems security practices.

Anonymous

Orenda Security penetration testing engagements have not only been beneficial in helping us identify and remediate critical vulnerabilities in our Financial Technology products, but also to adhere to PCI DSS penetration testing requirements.

Anonymous

Orenda Security help us secure our client facing applications by working with us in identifying security vulnerabilities and providing key guidance on remediation. Their collaborative approach during security assessments continues to be of great value to us.

Anonymous