Security Audits

We offer security audits for web and mobile applications. Our security audits include source code reviews, penetration testing and infrastructure analysis. Our consultants use both automated tools and carry out manual tests.

Vulnerability Risk Assessment

We base our assessment and classification of weaknesses and security vulnerabilities on the DREAD Risk Assessment Model:

  • Damage - If a threat exploit occurs, how much damage will be caused?
  • Reproducibility - How easy is it to reproduce the threat exploit?
  • Exploitability - What is needed to exploit this threat?
  • Affected users - How many users will be affected?
  • Discoverability - How easy is it to discover this threat?

Vulnerability Checks

For web applications we check at least for the following vulnerabilities:

  • Information Disclosure from related infrastructure, e.g. DNS, and from public search engines
  • Information Leaks from the application, e.g. comments, files, library versions
  • Misconfiguration
  • Password security
  • Logical flaws
  • Cryptographic problems, e.g. padding oracle
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgeries (CRSF)
  • SQL/Code Injection
  • Other injection vulnerabilities, e.g. XPath, Email, Unicode
  • Authentication Bypass
  • Session Security, e.g. entropy of the session cookie, cookie flags
  • Open Redirects
  • Clickjacking
  • Problems with input/output filters, e.g. incorrect regular expression
  • Denial-of-Service
  • CAPTCHA und anti-automation
  • Operating system and application hardening
  • Programming mistakes, e.g. redundant source code

Not only do we test and review the server-side part of the web application such as database backends, or parts written in PHP or in other scripting or programming languages, we also check the client side and interactive components such as JavaScript libraries, Flash applets etc.

Detailed audit report

After the audit our clients receive a detailed audit report which documents the areas reviewed, the errors identified and include a comprehensive risk analysis of the application. Each finding includes a recommendation on how to fix the issue. In addition the report comprises a prioritised listing of the errors identified (critical, high/medium/low risk) and provides recommendations for the sequence in which they should be addressed and resolved.

Interested in more details?

We will be glad to answer your questions or you can request more information by using our contact form or write an email to info@sektioneins.de.