Mobile Application Security Assessments
A Mobile Application Security Assessment (MASA) is an assessment of the application running on mobile device (Android / iOS) as well as the associated back end components. The objective of the assessment is to identify vulnerabilities within these environments and verify their existence using manual testing techniques.
Cyber TRAM MASA methodology is a comprehensive approach that identifies vulnerabilities ranging from High to Low risk. Cyber TRAM identifies, verifies, and reports anything that raises the attack surface of the application. We will use multiple techniques to simulate attacks from both an external and internal attacker perspective, exposing the greatest amount of attack surface and providing the most value from testing efforts.
Application Penetration Testing
The overall goal of an application penetration test is to uncover software vulnerabilities, demonstrate the impact of the weaknesses, and provide recommendations for mitigation..
Cyber TRAM always follows a highly structured methodology to ensue a thorough test of the entire target environment and each layer of the organization’s security posture. Cyber TRAM unique approach, comprised of pre-engagement interaction, reconnaissance, vulnerability analysis, vulnerability verification, reporting, and debriefing phases, ensures that our client’s application and supporting components are tested to the full extent with minimal business impact.
Static Application Security Testing (SAST)
SAST is comprised of a full source code review from both manual and automated perspectives. The goal of a SAST is to identify security related weaknesses in the source code and to provide developers with insight into the types of security problems that can exist in the code.
Cyber TRAM performs all testing activities utilizing both manual and automated code analysis techniques. All testing is performed from a full-disclosure or “white-box” perspective. The client provides source code and specific configurations for the target applications. Results from automated scanning tools are manually validated to ensure accuracy and weed out false positives.
After completing and verifying the results of the automated scanning, the source code is also reviewed manually to identify issues in business or application logic that automated scanners cannot identify. These issues may lead to conditions that an attacker could take advantage of and threaten the confidentiality, integrity or availability of the application.
Dynamic Application Security Testing (DAST)
The purpose of DAST is to identify vulnerabilities present within the run-time application utilizing commercial and open-source vulnerability scanning tools. In a DAST engagement, Cyber TRAM performs scanning and verification activities against the target application.
Prior to scanning, the application is analyzed to determine authentication mechanisms as well as technologies in use. Information gathered is used in the configuration and tuning of the vulnerability scanner. This allows for better crawling of the application and more accurate identification of vulnerabilities.
In parallel with the testing, manual examination of identified vulnerabilities is conducted. Each vulnerability identified is manually tested by to determine their validity as well as ranking the potential impact of the vulnerability on the client environment and security posture. This aids in eliminating false-positives.