Application Security Testing

Security processes have been implemented to discover the vulnerabilities in web applications and to effectively remediate high risk vulnerabilities. Measures are taken to prevent attackers from gaining control over web based applications and obtaining easy access to the server, database and other back-end IT resources.

The Application Security service provides reassurance in knowing an Agency’s application is secure from an outside malicious breach. The Quality Assurance team’s discovery processes comprehensively scan and manually exploit applications for possible security vulnerabilities.

Discovery Process

  • Applications are risk assessed by several factors. Any personal identifying information, personal health information, or financial transaction information entered or stored in database tables is deemed highly sensitive data. Other factors to consider are external exposure, user authentication, and hosted within a shared environment. A high security assessment value indicates the application should have business logic exploits revealed.
  • A thorough, detailed security scan is executed against the application using IBM Security AppScan Enterprise. The results are analyzed for validity, with false positives being disregarded from the scan findings.   
  • Manual exploration with additional security tools and practices identifies information leakage and other damaging issues. These ethical hacking exercises attempt to penetrate an application for the purpose of finding security vulnerabilities a malicious hacker could potentially exploit.
  • The final discovery results are presented to the Agency, discussing the criticality of discovered vulnerabilities and potential for a breach.
  • Remediation of the vulnerabilities is the next step in securing an application and it is up to the Agency to follow through with service requests to complete that work.