AppSec Insights

Application Level Security Analysis and Risk Assessment

Recent ransomware attacks utilising zero-day vulnerabilities have been devastatingly effective. An automated attack can exfiltrate data from organisations around the world in the space of a few hours and the attack can be over before anybody even realises it is happening.

Existing detection and response technology, SIEM systems and threat intelligence services only serve to tell you what happened after the fact, most modern network defences have proved to be highly ineffective against this type of coordinated global zero-day exploit.

The lack of a meaningful security assurance label means that most organisations have no real insight into the real-world level of security provided by the products they deploy.

Our AppSec Insights service is designed to address this imbalance and provide objective, technically informed and well balanced information on the level of security assurance provided by your production infrastructure and applications.

Our Process

It all starts with the right people: our staff have extensive hands-on experience covering commercial software development, product security, SDLC processes, application level vulnerability analysis, technical risk management and existing evaluation processes such as FIPS 140 and Common Criteria.

We fully understand what it takes to build an effective secure development process so we are in a unique position to provide a technically informed perspective on the real-world level of security assurance provided by a given product, as well as the vendor’s overall level of security process maturity.

Our software development background also means that we have a good understanding of the market dynamics that influence software security assurance.

We use a broad spectrum of measurements that cover details from the vendor, technical characteristics of the product, previous vulnerabilities and mitigations, and in-depth application security testing and vulnerability analysis.

This provides a far more complete and reliable picture of an application than a penetration test engagement. Our goal is to measure the true extent to which the application has been designed, implemented and tested in accordance with accepted security engineering best practices.

We can provide a range of coverage levels, from an in-depth review of a specific application through to a high level comparative review of a set of applications. The standard levels of coverage are outlined in the table below but we are happy to provide a customised service if required.

The tasks performed during a Secmatics AppSec Insights engagement.

Technical findings from AppSec Insights engagements are collated into a simple high-level scorecard these are designed to provide a concise picture of the overall security assurance level provided by an application. Our scorecards also make it easy to compare ratings for different products of the same type.

Our Application security scorecards collate findings using the following high level categories

  • Architecture: Rates the extent to which the application’s components, users and administrators are able to interact in a secure manner whilst presenting a minimal and robust attack surface.

  • Implementation: Covers the inherent level of security associated with the languages and technologies used to implement the product along with the extent to which the implementation consistently defends against known threats and vulnerabilities.

  • Defense in Depth: Covers identity use and privilege minimisation along with any applicable platform or technology specific exploit prevention and risk reduction measures.

  • Deployment: The extent to which a typical deployment will be in a secure state. This covers the default configuration and any vendor secure configuration or lockdown guidance. Where applicable, metrics relating to secure configuration and patch state of existing Internet-visible product deployments will also be considered.

  • Vulnerabilities: A balanced assessment of past vulnerabilities, any vendor mistakes that resulted in this vulnerabilities existing, and the depth, timeliness, and effectiveness of past security updates and vulnerability mitigations.

Customers using our EdgeScope ASM product or one of our managed service offerings can get access to reduced pricing on AppSec Insights engagements. We also offer a combined service that includes a basic level of AppSec Insights coverage for externally discoverable components deployed as part of your Internet-facing attack surface.

This combination provides a unique forward looking indicator of future areas of risk from across your whole attack surface. 

If you have any questions on this service, our would like to get a tailored quote for your organisation, then please get in touch.