Application Security

At Eventus, apart from introducing cutting-edge services, we continue to innovate and provide application security assessments around web, mobile and thick client applications along with APIs and Infrastructure Security. We work closely with you to customize some of these to meet your specific requirements.

Ask Experts Meet Our Team

Threat Modeling and Secure Architecture Review

We enable our customers with insights to identify potential threat factors that can cause harm, with the perspective of a hacker to ascertain the damage that can be caused by a malicious act. We look beyond the typical attacks and tailor our services to provide protection from targeted attack vectors, new attacks or attacks that may not otherwise have been considered.

Set Goals

Based on a comprehensive study, the requirement scope, goals, and objectives with timelines are defined and agreed upon.

Visualize Build

After the initial Business Requirement scope is agreed upon, the architectural design, solution components and implementation plan with data flow, network access, authentication and authorization requirements are built.

Identifying Threats

To detect all threat factors, new attacks, or unanticipated attacks, the experience and expertise of our world class team comes into play. Our team can perform detailed threat modelling for newer and existing solutions and provide a full threat landscape with all vulnerabilities in an actionable report.

Mitigate Vulnerabilities

The detailed actionable report with all the mitigation recommendations is shared with all the relevant stakeholders. The ownerships are defined and the vulnerabilities and action is prioritised based on severity levels of each component, system, and interface.

Validate Fixes

The patches are applied, vulnerabilities are fixed and verified that they are properly mitigated and no lingering risks are present.

Source Code Review

Software Composition Analysis

Dynamic Application Security Testing

A hybrid methodology of automated code review scanning tools and manual review is performed across lines of code of an application project to identify vulnerabilities residing in the code.

Our methodology increases the discovery rate of the vulnerabilities with confidence, allowing our clients to get a clear view of the affected source and syncs across the code.

The outcome of Source Code Review is a detailed actionable report describing every security issue broken down by the vulnerability, analysis of the severity of the finding and recommended mitigations with code snippets, file names and line numbers to resolve the issues for improved security, in ways that are aligned with industry best practices.

Eventus delivers automated scans of an application’s code base, including related artifacts such as containers and registries, to identify all open-source components, their license compliance data, and any security vulnerabilities. In addition to providing visibility into the open-source use, we also help fix open-source vulnerabilities by suggesting possible remediations to development teams.

See SDLC Process

We provide on demand / periodic dynamic security assessment service wherein we run automated scanners against applications to identify vulnerabilities. Once the automated scanning is done, we remove false positives and provide a detailed report to the organization. Dynamic Assessments are useful in sprint releases in agile development where there is no major change in the application. This assessment provides quick results.

Application Penetration Testing

Eventus has expertise to perform security assessments on conventional web applications, new Single Page or HTML5 based applications, Android, and iOS platforms, console-based application as well as on new windows appx format extensions.

Web

We use targeted penetration testing and leverage automated scanners to deliver an all-round detailed report around your web application security assessment. We use global standards from OWASP, WASC, SANS and deep coverage from research community to lay down the fundamental base of web application security assessment. Post assessment, the issues are identified whether they are on server level, SSL level or on the application itself. This gives you a clear direction and recommendations on which exact area to focus and start mitigation by applying patches. Vulnerabilities like SQL Injection, Cross Site Scripting, Sensitive Data Disclosure, etc. are identified as part of the web application security assessment.

Mobile

Eventus follows a unique approach to identify vulnerabilities at 3 levels - installer level, storage level and communication level. These 3 levels combine to form a single mobile application security assessment. We have dedicated mobile application security lab to test applications on platforms like Android and iOS. The classification of the vulnerability on installer, storage and communication level helps the organization get more clarity on the root cause of the issue and apply correct fix for the same. Insecure data storage, lack of binary protection, improper platform usages, etc. are some of the vulnerabilities which are identified post mobile application security assessment.

Thick Client

Similar to mobile applications, we help our clients secure their thick clients as well. We classify the vulnerabilities on the executable file, on the storage side or in the communication channel. Hardcoded credentials, DLL Hijacking, Process Injection, etc. are some of the most commonly identifiable vulnerabilities.

API Penetration Testing

Irregularities in APIs allows attackers to exploit the API providing them sensitive information of all the applications logic and infrastructure. This makes your organization and customers vulnerable to data theft as the API is incompetent to secure it. Our team of cyber security professionals starts by collecting as much data available of the target API like IP addresses, URLs, endpoint definitions and related details, credentials, calls and responses with a detailed list of test cases.

Upon successful acquisition of the required details, enumeration of the target APIs is done on application and network layers that provides an insight of the weaknesses/ loopholes present in the API. The final step is exploiting the discovered vulnerabilities and determining up to what extent the tester can penetrate through the loophole. This estimates the extent of damage that a hacker can create to the system, hence making your aware of the threats and take appropriate steps.