Modern hackers have refocused their efforts to target applications as a means of effectively bypassing existing legacy security devices (such as network firewalls). To most security application developers, application security is still a relatively new area of concern and is fundamentally different from other areas of computer security, such as network infrastructure or operating system security.
Since application security is not yet a mature discipline, few tools exist to automate comprehensive application testing. ACS staffs ASA engagements with experienced security consultants who have strong backgrounds in information security as well as software development, with a focus on application development.
The ACS ASA methodology focuses on combining the strong technical competency of the consultants with a broad and flexible test plan. No two custom applications are identical, and they are often composed of off-the-shelf applications as well as custom-developed systems or components.
In order to ensure that the assessment is truly comprehensive, ACS relies upon communication between the consultant and the customer’s technical staff to develop an understanding of the application architecture and all of its working parts. This communication starts during the project initiation meeting and continues throughout the engagement.
ACS recommends a “blended” approach when assessing applications. This approach leverages the ACS ASA methodology as well as targeted source code review.
The ACS Application Testing methodology leverages dozens of white-box and black-box tests to better understand the workings of the applications, while identifying vulnerabilities. Targeted Source Code review is used to drill down into risky areas within the application and around functionality found to contain security vulnerabilities.
Combined, these services offer the consultants the framework required to conduct the most thorough assessment possible.