Brief

Virtual VAPT service of ESDS comes with a complete security audit of your web applications / web sites for CERT-in Certification followed by regular vulnerability scanning with ESDS VTMScan.

Overview

ESDS will deliver this service in 2 phases.

Phase 1 – Web Application Security Audit by a CERT-in empaneled Agency 

Phase 2 – VTMScan Annual scanning service for web application (Based on selected plans) 

That makes it the most unique offering in the security market today for a complete security assessment of critical web presence of client.

Phase 1 - Web Application Security Audit by a CERT-in empaneled Agency

Application Security Audit

Application Security Audit is the process of actively evaluating all the components to ensure that they have been developed within the guidelines of security best practices. It is an important step during the process of certifying applications. During this step, the modules are individually tested for a number of weaknesses and properties. The application only passes the review if it exhibits all required properties. Errors in development (known variously as bugs, flaws or vulnerabilities) could allow an attacker to gain access to the confidential information or deny authorized users to access the Application; with potentially catastrophic results. Application Security Audit is of great importance to avoid security holes in the application itself. It improves the reliability, stability and performance of the application. The results of the application testing are delivered in a comprehensive report highlighting the vulnerabilities and mitigating the risk. 

Application Security Testing

There are two types of testing carried out for the complete check of the Web Application i.e. Functional Test and Internal logic test. Black box testing assesses the functional operating effectiveness and White box testing assesses the effectiveness of software program logic. We would be carrying out the Black Box testing for the application. As the Application has various roles defined for various users we will be carrying role based functionality testing to ascertain any security flaws. The First level Application Audit would highlight the vulnerabilities in the Application like Cross Site Scripting, vulnerability to SQL Injections, Buffer Overflows, Invalidated Inputs, insecure storage etc. These would need to be addressed by the Developers, post which the second or third level audits would be undertaken, if required. Removal of flaws and vulnerabilities from the Application depends on the capabilities of the Application Developers, and the subsequent level audits are driven by this necessity.

Security Audit as per OWASP Standard

The standard used for Web Application Testing is OWASP (Open Web Application Security Project). The OWASP 2017 Top Ten represents a broad consensus about what are the most critical application security flaws.

Phase 2 - VTMScan Annual scanning service for web application (Based on selected plans) 

VTMScan Features:

• Domain Reputation
• PORT scans
• SQL injection
• Malware Scans
• RFI Scans
• LFI Scan
• Cross Site Scripting
• URL monitoring
• CMS scan
• OS Detection
• Click Jacking
• CSRF
• SSL Scan
• WAF Detection
• Content Change Monitoring
• Banner Grabbing 

All these modules are tightly integrated with each other to provide a proactive scanning of domain.

Highlights

Virtual VAPT Cert-In Certification

The first step followed is to analyses the Web-application / website / API application for appropriate security measures built into the Web Application & API application. This analysis is necessary to create a baseline so that one understands the present state better and can thus appreciate findings and recommendations.

The project entails a First Level Audit of the website/API applications, post which the Development Team would correct the vulnerabilities projected in the Audit Report. On successful patching up of the vulnerabilities, a certificate will be issued for website / web application. The methodology followed is as follows:

• Understand the scope and purpose of the Web Application/API Applications. Review the web application structure and specifications so as to understand the basic design of the Website.
• For the web application under review, identify, document and understand the \"high value objects\" that a malicious attacker would seek to steal or exploit (e.g., user IDs, customer data, passwords).
• Devise attacks or methods using techniques to obtain the desired data objects.
• Once Website security is handled, check if a valid/invalid user can use the Website in a manner so as to subvert the underlying security model of the system.
• Various attacks are devised on each component and then relevant vulnerabilities are demonstrated.

VTMScan 

Search Engine Friendly - Automatic CMS Scanning, Agent based Server Side Scanning.

Detects Threats - Proactive Scan of Malwares, Security Threats, Infections, Botnets.

Keeps your Web Servers Fit - Open Port Scanning for Security threats, Mail Server IP Checks.

Prevents Website Attacks - Specialized defence against Zero Day Exploits, Advisory Security Patches, Fully trusted and Tested Custom Security for Websites.

Anticipates and Spots Flaws Proactively - Provides instance E-Mail Alerts and Warning Alarms about infected Web Pages and Codes, Exclusive Scan Reports.

Specializes in Intense Detection - Remote Web-Shell/ Unexpected files detection and CMS specific scanning (Wordpress,Joomla,vBulletin,DNN)

Usage

Virtual VAPT can be used by clients who are using websites.

Clients can use our product for Certification and Website Scanning Purpose.

Support

If you have any queries related to the Product or require any assistance, request you to please contact us at product.support@esds.co.in

Categories