Custom Application Security Assessment
Service Overview ⫘
Secureworks will use a comprehensive and prioritized approach that assesses the security and compliance risks of your thick-client application, its associated internal or Internet systems, and the interactions between them. Specific techniques used during the assessment will vary based on the target operating system and the development language used for the target application.
Service Methodology ⫘
The custom application will be loaded into a virtual machine testing environment where both static and dynamic analysis will be performed. Testing includes analysis of the application itself, its interaction with the operating system, and both outbound and inbound network connections.
Secureworks will examine the objectives to be met by the application as well as test directly through the user-interface. These two points of view often lead to the fastest and highest quality results. By reviewing how the developer's approach to accomplish the application objectives, risk decisions can be evaluated. This step also allows for validation that the implementation matches the desired design. Testing will focus exclusively on application security and security related issues, rather than usability.
Once the target application is installed in the consultant's testing environment, the following actions will be performed:
Static Application Analysis
- Examine pre and post install into OS
- Examine files for stored credentials/keys
- Fuzz the binary for additional weak point/interactions
- Source Code review to develop abuse cases
- Identify dependencies with known vulnerable components
Dynamic Application Analysis
- Examine created files/memory objects for crypto/updated keystores/etc
- Search for artifacts created by the application in memory, registry, & filesystem
- Review permissions of registry, filesystem, handles, etc
- Identify and analyze localhost interactions
- COM & WMI abuse
Network Communication Analysis
- Attempt to intercept sensitive information through proxy interception and/or PCAP analysis
- Fuzz and abuse any API interactions and local services
- Attempt to circumnavigate certificate and trust interactions
Vulnerability Identification & Exploitation
- Develop exploits to take advantage of vulnerabilities discovered within the application
- Attempt to escalate privileges, move laterally, and take control of systems interacting with the binary
- Attempt to develop vulnerability kill-chains to commoditize attacks, and create the largest impact with the lowest level-of-effort
Remediation Validation:
Secureworks will conduct one remediation validation (RV) for only the high- and critical-severity findings listed in the final report. After the final report is delivered, you have 90 days in which to remediate issues, schedule the RV, and have Secureworks perform the RV. You must submit the RV request through email to the Secureworks point of contact for the Web Service Test within thirty (30) days of delivery of the final report or the RV is forfeited. Secureworks will issue a brief report summarizing the results of the RV, which will include information about whether you successfully remediated the issues.
Note: Secureworks only conducts RVs remotely, regardless of whether the Web Service Test was conducted on-site.
Outcome ⫘
Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report may contain the following:
- Executive summary
- Methods, detailed findings, narratives, and recommendations if any
- Attachment as needed for relevant details and supporting data
Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before expiration of the review period, the report will be deemed final.
Upon completion of the Service, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by Customer-designated contact, within five (5) business days of such email confirmation, the Service shall be deemed complete.
Scoping Information ⫘
| Scope | Description |
|---|---|
| Custom Application Security Assessment - Small | One (1) custom, thick-client application developed in a plaintext or byte-code development language Examples: Java, .NET, Electron |
| Custom Application Security Assessment - Large | One (1) custom, thick-client Windows application developed in a fully-compiled development language Examples: C/C++, Rust, Go |
Work is conducted during business hours of the Secureworks consultant. After-hours feature is available for an additional cost.