The following is an overview of the Thick Application Penetration Test:
- Will evaluate the application for security vulnerabilities from the perspective of an authenticated user. If multiple user types exist, then will perform testing using each type. During the testing, manual and automated processes leverage commercial, open source, and proprietary software. All automated tests will be manually verified to minimize false positives.
- The penetration test will target common thick application attack vectors such as the file system, the registry, system memory, network communications, and graphical user interfaces.
Specific areas of focus will include, but are not limited to:
Static Analysis: During the static analysis phase of testing, will review the follow areas:
- Service account roles and permissions (client, application server, database server)
- Application file, folder, and registry permissions
- Application service, provider, WMI subscription, task, and other permissions
- Assembly compilation security flags
- Protection of data in transit
- Hardcoded sensitive data and authentication tokens (passwords, private keys, etc.)
- Hardcoded encryption material (keys, IVs, etc.)
- Use of insecure encryption and hashing algorithms
- Database user roles and permissions
- Database and server configurations
Dynamic Analysis: During the dynamic analysis phase of testing, will test and review the following areas:
- Authentication and authorization controls enforced on the client and server
- Application user roles and permissions
- Application workflow logic between GUI elements
- Web Services utilized by the application using web application testing methodology
- File system changes including file and folder creation, deletion, and modification
- Registry changes including creation, deletion, and modification of keys and values
- Application objects and information stored in memory during runtime
- Use of insecure encryption and hashing algorithms
- Network protocols utilized by the application (SMB, FTP, TFTP, etc.)
- Database connections
After identifying the strengths and weaknesses of the thick application(s) and Client's development and security program processes, will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. Will also collaborate with stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.
Oscar Associates Limited (US) is acting as an Employment Business in relation to this vacancy.
Thick App Penetration Testing