Application Security Testing

The security (or otherwise) of enterprise applications has become an increasing concern over the last decade. Ensuring the security posture of external facing and internal applications has become a significant business focus. Many organisations claim to be able to deliver focused, outsourced assessment services, however Xiphos Research are unique in as much as traditionally the security assessment of web application and services security has been one of our core business areas of focus and expertise.

Xiphos Research provides our clients with a proven methodology that is backed up by industry recognised expertise coupled with a passionate and innovative approach to application and services security. Xiphos employ an approach that is focused on ensuring that not only are our clients protected from a range of current attack vectors, but can also continue to guard themselves against emerging digital threats.

Our project approach is attuned individually to suit the unique needs and criteria of our clients. It can be loosely defined as following an assessment cycle that consists of the following distinct stages:

  • Information Gathering and Enumeration
  • Vulnerability Identification
  • Attack, Exploitation and Penetration
  • Privilege Escalation
  • Reporting and Documentation
  • Clean up and Debriefing

Each stage of the application security assessment process is conducted in the strictest confidence and with client confidentiality and safety our highest priority. As well as conducting assessment activities, it is the assertion of Xiphos Research, that results are meaningless unless they are contextual to the needs and requirements of our clients. As part of the reporting cycle we prioritise discovered vulnerabilities and analyse and verify the results. As part of the reporting cycle, Xiphos Research provide our clients with vulnerability descriptions that can be understood by all levels of personnel within client organisations but also contain mitigation strategies that easily allow vulnerabilities to be addressed in a timely and secure manner.

The application security assessment services provided by some companies consist of nothing more that scanning client services and applications with 'off the shelf' software. This is an approach that XRL are fundamentally opposed to. Although automated security applications provide a broad overview of the security of applications and services, they lack the depth that can only be provided by manual testing undertaken by experts. The security assessment activities undertaken by XRL are specifically designed to mirror the attacks and methodologies that would be employed by a knowledgeable and skilled remote attacker, and ensure that our clients are protected against people, and not just software.

For additional information or assistance with our web application security assessment services, contact XRL today.