Nowadays, the majority of cyber-attacks targets Web applications. This is because the era of unprotected network fences belongs to the past, mainly due to the increase of investment on corporate firewalls. Therefore Web apps constitute an ideal unprotected attacking surface for hackers. The compromise of a Web application may put in danger the integrity of an entire enterprise since sensitive information may be disclosed. Even worse, a compromised web application can be the stepping stone of an escalated spear-fishing attack against an entire organization.
UBITECH has realized the necessity to take under extreme consideration all security aspects during development and delivery of the undertaken projects. As a result, all our engineers that take part in the development process are trained in order to be able to assess security risks and react accordingly. Moreover, UBITECH has invested in dedicated software that is able to pro-actively detect severe security holes. Indicatively, UBITECH relies on ACUNETIX and BURP SUITE PRO to identify threats such as SQL Injections, XSSs, and CSRF.
UBITECH provides the following security services:
- External Penetration Testing that consists of a review of vulnerabilities that could be exploited by external users and exploits the vulnerabilities to determine what information is actually exposed to the outside world. Some of the techniques used are: footprinting, public information and information leakage, DNS analysis and DNS bruteforcing, port scanning, services probing and exploit research.
- Internal Penetration Testing that protects from internal threats and ensures that internal user privileges cannot be misused, examining internally for any weakness that could be used to disrupt the confidentiality, availability or integrity of the network. Some of the techniques used are: internal network scanning, port scanning, system fingerprinting, services probing, exploit research, firewall testing, database security controls and network equipment security control. – Web Application Penetration Testing that focuses only on evaluating the security of a web application, involving an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities.
- Vulnerability Assessment and Management that is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Vulnerability assessments are typically performed according to the following steps: (a) cataloging assets and capabilities (resources) in a system, (b) assigning quantifiable value (or at least rank order) and importance to those resources, (c) identifying the vulnerabilities or potential threats to each resource, and (d) mitigating or eliminating the most serious vulnerabilities for the most valuable resources.
In particular, UBITECH provides the following Web Apps Security Audit Services, using the most state-of-the-art and sophisticated tools of the market:
- In-depth SQL Injection Analysis and Cross Site Scripting Reporting,
- Advanced Penetration Testing Analysis using HTTP Fuzzing Techniques;
- Authentication Mechanisms Testing, such as Single Sign-On and Two Factor Authentication;
- Extensive Reporting, including PCI Compliance Testing;
- Webpages Scanning and Crawling, dedicated per Web Server Type and Application Language;
- Detection of Blind XSS and DOM-based XSS Vulnerabilities
- Identification of Server Side Request Forgery (SSRF) and XML External Entity (XXE);
- Identification of Mail Header Injection and Host Header based Attacks; and
- Identification of Local File Inclusions, Remote FIle inclusions etc.
Beyond dedicated web-based security analysis, UBITECH undertakes network-specific vulnerability analysis.