Application
Testing

Orenda Security application assessment services are customized to help secure your business-critical applications and ensure compliance with your industry security requirements.

Securing applications is more challenging than ever as the speed of application development continues to accelerate. Cloud technology adoption, agile development practices, devops and new technologies all offer attractive business value, but the speed of change is impacting significantly the ability to adequately secure business-critical applications. A timely security testing strategy comprised of automated and manual testing in the SDLC and in production is essential to mitigate risk, our team can help by developing and executing a custom testing solution to meet your business needs.

Application Penetration
Testing process

Application Penetration testing is a blend of automated and manual technical security assessment approach to identify all the common vulnerabilities indicated by OWASP (Open Web Application Security Project) standard and other leading industry frameworks. The application security assessment covers web applications, web services, mobile application and thick client applications.

Web applications

Our team begin with an assessment of the design of your web application and estimate the likelihood of security issues based on threat modeling analysis. Manual testing is the primary testing method but automated penetration testing is also performed. Orenda Security will focus on attacking, modifying, and hijacking client-server interactions, web services and APIs supported by the applications and can even target data assets used in your backend database systems.
Our dedicated experts will find and attempt to exploit security flaws that could allow privilege escalation, disclosure of sensitive information, injection of malicious code into trusted components, logic flaws, and other conditions generally recognized as posing security vulnerabilities. This approach allows us to identify all existing attack vectors and demonstrate the impact of a real-world attack. Orenda Security classifies vulnerabilities against the latest OWASP Top 10 web application security flaws. Key steps include:

Identification of application vulnerability

Identifying both standard application vulnerabilities as well as business logic errors that cannot be found through automated scanning (both credentialed and non-credentialed testing).

In-depth analysis

In-depth analysis of application risks beyond normal Penetration Testing. Clearly articulating the impact of exploitation of application vulnerabilities identified is essential to an building effective risk mitigation strategy.

Recommendations

We provide detailed recommendations to remediate risks identified, but providing a detailed findings report is not enough. Our collaborative approach is to provide actionable guidance for prompt remediation and yet helping you devise enhanced protection strategies for your applications.

Providing analysis

Business analysis provides executive perspective and recommended strategies for near and long term risk mitigation.

Mobile Applications

Orenda Security’s  mobile application penetration test is comprehensive and begins with reviewing technical design documents, process flows, and the application’s security architecture in order to identify application attack surfaces.

Identified vulnerabilities are mapped to OWASP top 10 mobile application security flaws:

Improper Platform Usage

This flaw includes the misuse of a platform feature or failure to use platform security controls to protect service or API. Attacker may feed malicious inputs or unexpected sequences of events to a vulnerable endpoint.

Insecure Data Storage

Insecure data storage vulnerabilities typically lead to the following business risks for the organization that owns the risk app: Identity Theft, Fraud, Reputation Damage, External Policy Violation (PCI); or Material Loss.

Insecure Communication

This flaw may allow Threat agents to exploit vulnerabilities to intercept sensitive data while it's traveling across a local network, compromised Wi-FI network, Carrier or network devices.

Insecure Authentication

This flaw covers poor or missing authentication schemes that may allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app, leading to the inability to verify a user’s identity.

Insufficient Cryptography

This flaw may result in the unauthorized retrieval of sensitive information from the mobile device leading to privacy violations, information theft or reputational damage.

Insecure Authorization

This flaw may allow for over-privileged execution of remote or local administration functionality, resulting in the destruction of systems or access to sensitive information.

Client Code Quality

This flaw may lead to exploitations resulting in foreign code execution or denial of service on remote server endpoints (and not the mobile device itself). 

Code Tampering

This flaw may lead to exploitations resulting in unauthorized new features, identity theft or fraud.

Reverse Engineering

This flaw may lead to exploitation resulting in reverse engineering to achieve the following: reveal information about back-end servers, reveal cryptographic constants and ciphers, steal intellectual property.

Extraneous Functionality

This flaw may lead to exploitation resulting in exposure of how back-end systems work or unauthorized high-privileged actions executed.

Testimonials

''Orenda has been a reliable partner for AMA and has helped us in our journey to develop and deliver secure applications to all of our AMA members. I recommend Orenda Security to other AAA and CAA clubs on the basis of a strong working relationship with AMA and an excellent track record of delivering technical expertise and high-quality assessments.”

 

Collin Moody
Chief Information Officer
Alberta Motor Association

Finding a reliable partner with a high degree of technical expertise is hard to find! Orenda Security was exactly what we were looking for. They help us improve the security posture of our product and application. I recommend Orenda Security to any security leader seeking reliable and robust security penetration testing services.

Kartik Agarwal
Chief Technology Officer
Concert Cloud Inc