With the consultancy approach, we can take the analysis further following a pentest and focus on specific security issues.
As part of a project for the development or redesign of a Web platform, it is advisable to integrate safety thinking from the technical and functional design phase.
Tackling technical and functional specifications from the point of view of an attacker avoids classic pitfalls and incorporates security prerequisites into the specifications.
The methodological approach is as follows:
In this first phase, we become acquainted with the development project and collect elements on the technical and functional context of the client.
This phase consists in analyzing the architecture documentation provided by the client, in order to identify the technical weaknesses as well as the weaknesses related to the business logic.
In the results presentation phase, we make technical security recommendations to the client, divided into 10 key themes (authentication, session management, confidentiality, integrity, continuity of service, technical protection of control of the application, functional protection of control of the application, elements to be tracked and logged, compliance constraints, configuration constraints).
The white box audit of a server allows access to a level of information that is inaccessible for a pentester (except in the case of a major flaw) in order to secure the server configuration as much as possible.
This approach consists of conducting a security level analysis by having administrator access to the server.
The white box audit of a server includes the following aspects:
The audit also includes tests conducted from outside the server, similar to tests performed during a pentest, to detect unsecured open services, outdated software, security element breaches, or configuration errors.
According to the same principle, the white box audit of an application allows access to a level of information that is inaccessible for a pentest (except in the case of a major flaw) in order to secure the application layer as much as possible.
This approach consists in analyzing in detail the source code of the application in order to measure its level of security and propose corrective measures.
This is particularly useful in two cases:
The white box audit of an application includes the analysis of the following aspects (this list is not exhaustive):
This makes it possible to propose patches to protect against all known technical vulnerabilities (listed particularly by OWASP, such as injections, XSS, CSRF, XXE, etc.) as well as logic flaws related to the business rules implemented in the solution.
The white box audit of a Website based on a CMS [content management system] performs an in-depth search of the typical vulnerabilities of this type of site, or to find the source of the security problems that resulted in hacking.
The approach applied during a CMS audit is twofold:
The details of the work to be carried out will be adapted according to whether the audit is commissioned for the purpose of prevention or for the purpose of restoring a site that has been the victim of one (or more) attacks.
This type of service applies to different content management systems, including: WordPress, Drupal, Joomla, Prestashop, Magento, etc.