Contact Us   |   Site Map  

Vulnerability Assessment - consists of multiple test cycles that are customized in order to ascertain the vulnerabilities and never to activate or exploit them.

Penetration testing - analyzes the outputs of Vulnerability Assessments and then utilizes various attack vectors and customized in-house exploits to penetrate the targeted application.

It has become a business standard to offer customers constant availability to conduct business from any location and at any time. The avenues chosen as a business enabler are customized online applications created by internal or outsourced software development teams.

Due to the nature of the information being processed by these online applications, this new technological avenue exposes companies to various security risks. These include but not limited to, loss of confidentiality of corporate or entrusted information, financial loss, loss of reputation, and loss of system availability. Precarious areas of online applications encompass:

                      Server-side user authentication, authorization and privileges
                      Server-side administrative account management and privileges
                      Back-end database exploitation
                      Inherited coding issues
                      Application session-state management
                      User Input Validation
                      Web application management and configuration issues
                      Protocol and services issues
                      Web client issues

By not being aware of the vulnerabilities within its online application, a company faces the risk of being breached and not knowing it. This will not only place the company at risk, but also the entrusted information of business partners and its clients. The outcome of the public relations fallout could be devastating for the business of the company. For this reason Application Vulnerability Assessments are part of security compliance and are usually exercised on a bi-annual basis or at the time of a major application development release.

With extensive experience in technology audits, RSS Inc. offers an Application Vulnerability Assessment (AVA) Service that caters to client needs, of all industries and sizes. Our service encompasses both security and privacy risks. Our seasoned professionals have performed vulnerability assessments and penetration testing engagements in various public and private sector organizations.

Prior to commencement of the AVA engagement, RSS Inc. jointly with client will establish the following:

                                        Attacker Classification - Serves to identify the category of attacker, our team will mimic
                                        Information Disclosure - What level of initial information disclosure between our team
                                           and client's technical team will be exercised
                                        Engagement Controls - Are different test-cycle scenarios

Testing cycles are designed to be executed in three levels:

                                        Without Credentials
                                        With User Credentials
                                        With Administrator Level Credentials

Our team will perform the following variety of application group-based attacks:

                                        Authentication & Session Management
                                        Configuration Management
                                        Input Validation
                                        Null Characters
                                        Parameter Manipulation
                                        System and User Information
                                        Privacy Assessment

AVA outcomes will be summarized in a final written report along with the findings, recommendations and supporting evidence. RSS Inc. team will recommend the improvements in a pragmatic manner taking into consideration the current technology investments and code development practices. This will ensure that our clients are familiar with the recommendations and improvements we are suggesting. Our team will ensure that the proposed plan of mitigation activities augments the client's engagement goals and the overall corporate security governance journey.

RSS Inc. team will work in tandem with the client assigned team throughout the entire engagement thus ensuring completeness of the knowledge sharing.

Solution Benefits
By engaging RSS Inc. as a neutral third party auditor, clientele will be provided with unbiased information of identified vulnerability within its customized on-line application. Furthermore, it will enable companies to utilize seasoned professionals who have played a technology audit role in various public and private sector organizations. By bringing the external experience to the table, our clients will be in the position to shorten the information security governance maturing phase.

The immediate benefit of an application assessment for an organization is to identify known vulnerabilities within the environment before an adversary can find them. It allows for the chance to identify weaknesses in security controls set in place to prevent and/or detect vulnerabilities. This provides a proactive approach towards identifying vulnerabilities, misconfigured settings, and/or missing secure software development controls.

By having access to industry-leading security specialists, the client can rest assure that the assessment will be non-intrusive to their operations. The pragmatic recommendations, stemming from AVA findings, will enable companies to utilize their on-line application securely and to prioritize budgetary funds in the quest to enforce corporate compliance.

Overall, AVA activities will help in corporate risk mitigation by minimizing the potential disruptions of business activities and deliver value by ensuring that the promised benefits match up against the strategy. RSS Inc. team will provide mid and long-term plans containing milestones for improving application security controls.