Methodology
Mobile and Web Application Assessment
Test application providing the front-end to customer data, including how they are installed and configured on Android and IOS devices
- Server Infrastructure (web server end points)
- Application/API handling and functionalities
- Mobile Applications
Application will be tested to identify the security flaws that may be associated including:
- Authorization and Authentication Testing
- Session Management
- Cryptographic Controls: weak SSL/TLS ciphers, info. leakage on unencrypted channels etc.,
- Data protection in transit and storage. Also, application’s core security controls around data (ticket) storage cannot be circumvented
- Business logic and application workflow validations: request forging, circumvention of workflows, file upload issues etc.,
- API and mobile applications known security flows such as injection attacks, client resource manipulation, clickjacking, CORS validations, local storage testing etc. This will include but not limited to OWASP top 10 vulnerabilities
- Unnecessary screens, functionality, activities, services, broadcast receivers are not present in the applications
- Adequate protective measures have been built into the applications for example, code obfuscation, code hashing, use of native code for sensitive functions et al
- Secure data in Transit and at rest
- Server-side protection
- Authorization and Authentication Testing
- Disabling all debugging capabilities, unnecessary information removed from the symbol table
- Ensuring applications do not generate core dumps or other sensitive information upon a crash
- Obfuscation/insertion of guards into binary code – application hardening/runtime protection; method scrambling at binary level
- Jailbreak/root detection methods
- Protection against attacks such as “method swizzling”
- Encryption/checksums of upcoming sensitive code functions
- Detection of runtime manipulation, application patching
- Prior checksum of critical instruction branch code immediately before code and randomly
- Legitimate objective C method swizzling in the code
- Use objective C for sensitive methods, translate into native C/C++
- Avoid direct method calls to system libraries
- Invoke using inline assembly
- Perform regular server-side re-validation of authentication
- Restriction of background state around sensitive application areas (CHD input, etc)
- Sensitive information in the mobile application – PII etc.,
- Input validation, protection against injection attacks -SQL/XML injection
- The reporting structure:
- Management Summary with overall severity graph
- Detailed results for vulnerabilities discovered, exploited vulnerabilities and proof of concepts/screenshots
- Detailed explanations of the implications of findings, business impacts, and risks for each of the identified exposures
- Remediation recommendations to close the deficiencies identified
- Detailed steps (wherever/whenever applicable) to be followed while mitigating the reported deficiencies
- Issues with critical severity (CVSS score 9) shall also be reported at the time of finding.
1. Chandra Sekhar M – Project Lead
- 33+ years’ experience in implementing the Information Security, Personal Privacy, Cybersecurity Maturity Model Certification, CMMI, P-CMM.
- Cybersecurity Maturity Model Certified Professional (CPN -235) from CMMC-AB an initiative of US Department of Defense.
2. HARSH BOTHRA – Technical Lead Resource
- Experience in Penetration Testing & Offensive Security in – Web, Mobile, API, Network, Cloud & Container Security
- Author – Hacking: Be a Hacker with Ethics and Mastering Hacking
- Executed More than 300 Pentests, Core Team Lead & Pentester @Cobalt.io, Synack Red Team Member, Bugcrowd MVP Q1 & Q2 in 2020, Top Ranked Bug Bounty Hunter Certifications
- Certified Ethical Hacker (CEH) v10, eLearnSecurity Certified Professional, Penetration Tester (eCPPT), eLearnSecurity Web Penetration, Application Tester Extreme(eWPTx)
3. Chaudary S – Technical Lead Resource
- CEH and ISEB certified professional – Security Frameworks design, Implementation and Management, Vulnerability Analysis and Penetration Testing, Security & Privacy Assurance & Audits, Security/Privacy Risk Management and Secure Software Development Governance.
- PCI-DSS, SOC2, Cloud Security (CSA), NIST frameworks, HIPAA.
- Vulnerability Assessment and Penetration Testing of IT Infrstructure, Network, and Web & Mobile applications using manual and automated techniques; leveraging SAST & DAST methodologies.
- Threat modeling, Secure SDLC implementation, security/privacy controls configuration and reviews. Certifications
- Compliance Frameworks: ISO 27001:2013, PCI, HIPAA, HITRUST, GDPR, NIST, MPAA-TPN
- Tools: BURP, ZAP, SQL Map, nMAP, WireShark, Kali Linux Security Tools for manual and automated VAPT assessments
- Security Assessment: SAST, DAST, IAST & Configuration Reviews
- Languages: Python
4. Pankaj Kumar Singh – Technical Lead Resource
- Black / Grey / Grey Box Penetration Testing – WAPT – Android, IOS, Wireless, Physical, Thick Client, Red Team Assessment
- CEH, ISO 27001:2013 Lead Auditor – Security Frameworks design, Implementation and Management, Vulnerability Analysis and Penetration Testing, Security & Privacy Assurance & Audits, Security/Privacy Risk Management and Secure Software Development Governance. certification
- CISSP, CISA, CIPM, CIPP/E, FIP, CHFI, CEH, ISO 27001 LA, TOGAF 9, Prince2, ITIL V.3, CCNP, MCP, CSOE, PMP. AWS & AZURE Cloud Architecture,
5. Vaibhav Sharma – Technical Resource
- Microsoft Dynamics Business Applications and Technologies – CRM, ERP, Microsoft 365, Azure and Security framework, vertical solutions on Dynamics CRM platform, defining standard processes for SCM in AX, proof of concepts, roadmaps, publishing and presenting white papers.
- Microsoft Dynamics Evangelist, Microsoft Security, Forensic Investigation, Azure Certifications
- ISMS 27001:2013 Lead Auditor and Lead Implementer
- MCSA: Dynamics 365 -Certified
- Certified VAPT professional
- MCSE and MCP
6. SITANATH NANDI – Support Lead and Technical Resource
- I Cybersecurity Maturity Model Certified Professional from CMMC-AB an initiative of US Department of Defense.
- Information Security & Privacy frameworks/ standards/ regulations – ISO 27001, ISO 27701, ISO 2000-1, ISO 22301, ISO 31000, GDPR, NIST, SOC2, CMMC, PCI-DSS, HIPAA
- Worked in HCL Infosystems Ltd, Part of HCL, a major IT group in India – conceptualization, selection and testing Certifications
- Certified Lead Tutor and auditor for QMS, ISMS, BCMS, ITSMS, EnMS, EMS & OHSMS
- Certified QES graduate
- Qualified Trainer for Networking, InfoSec Technologies, GDPR
Adventz, Insure Nearby, SMC, Almondz, Faicent, Fiducial, StockHolding, Ratnaafin, Arihant Capital, Standard Chartered, Emedlife, BimaHub, Lend Free, Fikarnot, Insurance Dekho, Shivalik Mercantile Co-DP. Bank Ltd., DJT CORP, RKFS, Knowlarity, GirnarSoft, CASHKARO, Share India, Parivaar, Compunnel, Simson Softwares, Click4Bima, Decentro, PalmInsurance, Aapaka IMSL, MKT, Insure4Sure, Jaika Insurance Auxillium, Basket Option, Super Finserv, Victora Group, TruBoard Partners, GRAMeBIMA, ATELIER, Dailyhunt, MOJ, NEDO, Maatri, Honda Assuro, Lucknow Smart City, SquadiQ, RIA, Ori, Cyfuture