Websecure Advanced
Comprehensive Application Security Certification : This engagement involves manual scrutiny by a Security Audit Expert in addition to the tool-based approach used in Basic Certification. Security Audit tools have a number of limitations. There are numerous examples of vulnerabilities that went unnoticed in the tool-based audit phase but were caught by the eWorld Security team during manual verification. There are a number of well-known vulnerabilities that the tools are not necessarily aware of and hence cannot catch (e.g. Insecure Id). In addition, these tools do not consistently catch vulnerabilities that they are designed to catch. For example, while they are able to catch routine cross-site scripting vulnerabilities, they may not catch more complex scenarios like in case of SMS via mail without HTML encoding.
This engagement typically consists of a small eWorld team engaged for a period of 30 days for Websecure advanced depending on the application complexity. In addition to the Basic Certification, this service includes the following:
• Testing complex scenarios for vulnerabilities that commercial Security Testing tools are aware of
• Testing for vulnerabilities that tools do not test
• Auditing the application design and recommending changes for improved security
Both the above packages include a fixed time free email-based support after the engagement is complete. This support will be for the purpose of clarifying any queries on the contents of the report submitted by eWorld, particularly the suggested mitigation strategies.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment