ATGi - Services Provided
ATGi
Home
Services
Clients
Case Studies
Contract VehiclesTraining Contact
ATGi Services

ATGi Software & Application Security

The Big Picture

ATGi offers Application Penetration Assessments, Application Threat Modeling, Design and Architecture, and Source Code Security Assessments to help you achieve the security of your software applications and your company’s compliance with various standards and legal requirements.

Examples of some of the standards, standard setting bodies and legal requirements include: Sarbanes-Oxley Act, Payment Card Industry Data Security Standard (PCI DSS), ISO/IEC 27001, Gramm-Leach-Bliley Act, Open Web Application Security Project (OWASP Top 10) , Common Weakness Enumeration/SANS (CWE/SANS Top 25 CERT, The Control Objectives for Information and related Technology (COBIT) as well as the myriad of agency specific requirements ranging from the FDA to the DOE to the FAA to the DOD.

The bottom line is that ATGi helps you develop and maintain secure and compliant software applications.

Application Penetration Assessment

The National Institute of Standards and Technology estimates up to 92 percent of today’s vulnerabilities are at the application layer. Almost every major application in use today has had at least one critical vulnerability broadcast, resulting in loss of sales as well as loss of reputation and customer trust. ATGi’s Application Penetration Testing service looks at an application from the perspective of a malicious hacker and finds the holes before they can be disclosed publicly and exploited.

  • We find holes in applications.
  • We perform security quality assurance before applications are released.
  • We understand your risk and the potential impact to your business and products.
  • We do manual testing for accuracy and effectiveness.
  • We offer active knowledge transfer of testing techniques, issues, and remediation to our customers.

The testing begins with static reviews of the binary executables and libraries that make up the application. Server level scans search for known vulnerabilities and common misconfigurations. Our application penetration assessment consultants then perform an application discovery process to gather information about the application and search for information disclosure vulnerabilities that reveal secrets such as passwords, cryptographic keys, or customer information. With this data in hand, ATGi conducts the bulk of the testing, which consists of:

  • Configuration management testing, including unearthing the presence of sensitive information in configuration files or environment information that can be tampered with to alter application behavior as well as secrets and textual strings in the application binaries themselves or in memory.
  • Data protection in storage and transit when sensitive information is communicated across the network or stored on disk or in a database.
  • Authentication and authorization testing to determine opportunities for authentication bypass and privilege escalation.
  • Session and state management checks for session hijacking and other such attacks.
  • Data validation testing detecting problems such as SQL injection and buffer overflows.
  • Error handling and exception management testing that attempt to crash the application into an insecure state or to test for information disclosure through crash dump files.
  • Auditing and logging checks that attempt to subvert audit trails, create fake log entries, and discover sensitive information from the log files or use the logging mechanism as an attack vector.
During all of the testing, the main goal is to compromise the application's servers and/or remote agents/clients. Additionally, ATGi searches for application vulnerabilities that would allow an attacker to gain access to the underlying operating system or the backend database servers.

Application Threat Modeling, Design, and Architecture

Research has shown that fixing security problems early in the development cycle is both more efficient and more cost effective than the traditional penetrate-and-patch model. ATGi application threat modeling services allow our consultants to identify software security problems, before the software is even built. Software engineering studies have shown that about 80 percent of the security bugs and flaws are introduced during the early stages of software development, often before even a single line of code has been written. Using application threat modeling, we can typically identify more than 75 percent of the issues. We have significant experience building models for portals, e-commerce sites, and financial services. ATGi starts all sizeable code assessments with a threat model. Threat models help us manage the size of the code base we need to examine down to a smaller scope

ATGi's capability in building application threat models originates with our software and application security (SASS) consultants. Our SASS consultants have all worked as development practitioners on commercial enterprise software systems and understand the software development process as well as why and how security bugs and flaws are introduced.

Conceptually, threat modeling is a systematic process that consists of several discrete steps with clearly defined entry and exit criteria, deliverables, and objectives. Our process consists of focusing on the following key activities:

  • Identifying threat modeling team
  • Defining the risk ranking model to be used if any
  • Agreeing on terminology for the modeling activity
  • Modeling the business environment
  • Technical threat modeling assessment
  • Mitigation and developer education
  • Technical report based on results from the automated scans using the tools described above
  • Executive summary which describes both the results from the report above as well as architectural flaws, systemic issues and the major sources of risk identified by ATGi consultants for this application. This will include people, process and technology issues
  • Executive presentation that contains recommendation for mitigating risks as well as proposed next steps. ATGi can work with the customer to ensure this presentation is created at the right level for the proposed audience

Source Code Security Assessment

We use commercial inspection tools to help us automate the process, and ATGi experts manually validate issues and inspects code to overcome the limitations of automated tools and techniques that are ineffective. Our application security consultants find policy or best practice violations such as inappropriate cryptography algorithms and common semantic language constructs that lead to vulnerabilities.

We have expertise in VB.Net, C#, Java™, CFML, and PHP working within development frameworks such as J2EE and the .NET framework; developing on Win32 and UNIX platforms.

Armed with the threat model and a complete understanding of the applications architecture we use automated tools to assess the code for semantic and language security bugs. In general, we are looking for two types of issues: design flaws and implementation bugs. Design flaws include poor design ideas that have been implemented, such as choosing an inappropriate source of randomness for cryptographic key generation. Implementation bugs are typically syntactical or semantic language constructs that lead to security vulnerabilities.

Our detailed reports provide specific vulnerability information including line, file locations, the issue itself, and suggested solutions. We also provide an overview, including statistics for code sections such as the number of vulnerabilities density in specific areas (per 1,000 lines of code) and suggested strategic remediation such as the creation of re-useable components or security libraries.

ATGi will provide an executive summary which describes both the results from the report above as well as architectural flaws, systemic issues and the major sources of risk identified by ATGi consultants for this application. This will include people, process and technology issues.

Based on the results of ATGi’s Application Source Code Assessment we will train your developers about all relevant issues including: how to use analysis tools, how to identify flaws, and common remediation techniques. Without training, your team is destined to introduce new vulnerabilities.

We will actively participate in the remediation process, and run our assessment again after remediation to demonstrate the level of improvement in the code base.

Finally, ATGi will guide your development team in the creation of an assessment process relevant to your organization. This will empower your team to repeat this process in-house to meet your company’s security posture, policies, etc. in order to stay secure.
ATGi