Austin Computer Security logo Website Application Security

.
.
___________

Gain greater visibility
into your information
security infrastructure.
___________

Website Auditing

Our auditing process starts with an analysis of your operating system, software components and network configuration, and description of how the system functions are provided. Today, there are many specific compliance requirements to consider. These include (but are not limited to):

This analysis drives the choice of automated tools and manual procedures needed to perform the vulnerability analysis. The analysis will generate for you a detailed and comprehensive report to help you determine what if any remediation services you require of Austin Computer Security.

Security Program Evaluation, Recommendation, and Support

In today’s network environment, it no longer makes sense to manage security on an ad-hoc or component basis. Don’t wait for a breach; prepare your defenses now. Austin Computer Security has a long history working with clients to establish and institute a security program. We can help you:

  • Determine your security plan objectives through a review of your business disruptions risk, the regulatory compliance requirements, and your current security breach processes.
  • Develop your technical and personnel policies/processes through staff training and security tool implementation.
  • Integrate your security components, define and monitor standards, and ensure that security controls are configured correctly.

We will give you greater visibility into your information security infrastructure, so that vulnerabilities discovery and remediation happen quickly.

Software Security Review

It is critically important for software applications to be reviewed for security vulnerabilities both prior to and during and implementation. Austin Computer Security begins with OWASP and other secure coding guidelines and modifies these to conform to your own development tools, software architecture and proposed system function. This ensures that you end up with rules that are usable both for an initial review and maintainance of future development activities.

Java/J2EE specific issues may include:

  • Security of Java polymorphism
  • Secure use of declarative access control
  • Secure use of Java Authentication and Authorization Service (JAAS)
  • Java session fixation
  • Protecting binaries (bytecode obsfucation, signatures, jarsigner)
  • Java Cryptographic Extensions (JCE)
  • Logging
  • Exception handling
  • Operational environment constraints
  • Web based application components
  • Securing popular J2EE servers (Tomcat, JBoss, WebLogic, WebSphere)
  • Verification using Eclipse
  • Struts validation
  • Java Server Faces (JSF) validation
  • Classes of web attacks including SQL/LDAP/XPATH/shell/script code injection, Cross-site scripting (XSS), Cross-site request forgery (XSRF), Cross-site trace (XST)
  • Web Services security (SAML, WS-Security, XML Signature/Encryption
  • Automated code review tools for Java developers and future audit and how and when to apply them in the context of the organization's SDLC. Tools may include, but are not limited to Checksyle, Enerjy, ESC Java, FindBugs, Fortify, Gauntlet, Java Pathfinder, JChains, JiveLint, JLint, Jmetrics, JPaX, Lapse, Lint4j, and PMD. Support for manual security code review ranging from processes and procedures to conducting review

.NET specific issues may include:

  • Security of .NET polymorphism
  • Secure use of declarative access control
  • Secure use of .NET Authentication and Authorization
  • ASP.NET (SAML, WS-Security, XML Signature/Encryption)
  • XML Web Services
  • Windows Communications Foundations
  • Internet Information Server
  • .NET session
  • Protecting binaries (bytecode obsfucation, signatures)
  • .NET Cryptographic
  • Logging
  • Exception handling
  • Operational environment constraints
  • Web based application components
  • Securing Windows
  • Verification using Visual Studio
  • Classes of web attacks including SQL/LDAP/XPATH/shell/script code injection, Cross-site scripting (XSS), Cross-site request forgery (XSRF), Cross-site trace (XST)
  • Automated code review tools for Java developers and future audit and how and when to apply them in the context of the organization's SDLC. Tools may include, but are not limited to Fortify, FXCop,
  • Support for manual security code review ranging from processes and procedures to conducting review

Other Language/Environment Software

Austin Computer Security is actively investigating and continues to gain experience with additional software environments and languages (groovy, grails, drupal, struts, etc.)

Security System/Software Development Lifecycle (SDLC) Review

Austin Computer Security can work with you to ensure that the System Development Lifecycle that you are using is well-defined and meets your needs, whether it falls into the category of waterfall, iterative or agile. We will work with you to incorporate security in all phases of the SDLC, from design through operations, in a way that supports and enhances your development methodology.

  • Identified security activities for all phases of the SDLC including design, development, test, integration, fielding and operations.
  • Defined security SDLC framework to map security control development to waterfall, iterative or agile methodology variations.

We know that each organization is unique, so no system and management setup is inherently superior for all organizations. Austin Computer Security tailors methodologies within a single continuum that includes waterfall, iterative (RUP) and agile approaches and will most likely be a hybrid of multiple approaches.

  • Use Cases or User stories: emerging design does not negate the need for architecture even if requirements continue to be gathered from the customer during the development process.
  • Security test driven approach: Writing the security unit tests prior to development; eliminate ‘debt’ in the security area. This process of testing, coding and refactoring will incrementally grow security design patterns. Tools to verify scalability and other modeling must exist as part of the process.

Tailored Vulnerability Notification and Remediation Services

Most organizations have a wide variety of commercial and open source software components that they support. While an organization may or may not have automated patch support for core software components, there are often software components for which automated patch support is not provided - either because it is unavailable commercially for that product or because the service currently in use does not provide it.

We will work with organizations to establish what software components are automatically patched and who is responsible for patching software components that require manual intervention. Austin Computer Security has detailed and software component specific knowledge of current vulnerabilities. We can monitor this information and provide notification and remediation support services for you. Alternatively, we can develop and coordinate procedures and systems in place to allow you to maintain and act on that information, while providing remediation support when needed.