Security consulting

Securing Web or mobile architecture

As part of a project for the development or redesign of a Web platform, it is advisable to integrate safety thinking from the technical and functional design phase.

Tackling technical and functional specifications from the point of view of an attacker avoids classic pitfalls and incorporates security prerequisites into the specifications.

The methodological approach is as follows:

Launch meeting

In this first phase, we become acquainted with the development project and collect elements on the technical and functional context of the client.

Analysis

This phase consists in analyzing the architecture documentation provided by the client, in order to identify the technical weaknesses as well as the weaknesses related to the business logic.

Results presentation

In the results presentation phase, we make technical security recommendations to the client, divided into 10 key themes (authentication, session management, confidentiality, integrity, continuity of service, technical protection of control of the application, functional protection of control of the application, elements to be tracked and logged, compliance constraints, configuration constraints).

Server configuration audit

The white box audit of a server allows access to a level of information that is inaccessible for a pentester (except in the case of a major flaw) in order to secure the server configuration as much as possible.

This approach consists of conducting a security level analysis by having administrator access to the server.

The white box audit of a server includes the following aspects:

Analysis of the server's operating system (including the level of application of the patches)
Analysis of privileges
Analysis of the software configuration
Analysis of the network configuration
Analysis of the log system

The audit also includes tests conducted from outside the server, similar to tests performed during a pentest, to detect unsecured open services, outdated software, security element breaches, or configuration errors.

Source code audit

According to the same principle, the white box audit of an application allows access to a level of information that is inaccessible for a pentest (except in the case of a major flaw) in order to secure the application layer as much as possible.

This approach consists in analyzing in detail the source code of the application in order to measure its level of security and propose corrective measures.

This is particularly useful in two cases:

to perform the most complete tests possible on critical functions
to perform in-depth analysis of the code if difficulties are encountered in correcting certain security flaws following a pentest

The white box audit of an application includes the analysis of the following aspects (this list is not exhaustive):

Security measures implemented within the audited application (filters, blocking mechanisms, etc.)
Third-party components and dependent elements (imported security flaws)
Overall architecture of the solution (code architecture, inclusions, frameworks, database interactions, etc.)
Elements of configuration of third-party frameworks and components
Good security practices
Interactions between the application and its host system (the operating system)
Business logic

This makes it possible to propose patches to protect against all known technical vulnerabilities (listed particularly by OWASP, such as injections, XSS, CSRF, XXE, etc.) as well as logic flaws related to the business rules implemented in the solution.

CMS audit

The white box audit of a Website based on a CMS [content management system] performs an in-depth search of the typical vulnerabilities of this type of site, or to find the source of the security problems that resulted in hacking.

The approach applied during a CMS audit is twofold:

CMS Analysis: Analysis of CMS configuration and installed plug-ins. Checking updates. In addition, an analysis of the files of the server and the database is performed, in order to carry out cleaning if corrupted elements are installed during hacking (whether or not hacking has been detected by the client).
Pentest or Source code analysis: In the case of specific developments carried out involving the CMS, search for flaws related to the application layer and the workflow.

The details of the work to be carried out will be adapted according to whether the audit is commissioned for the purpose of prevention or for the purpose of restoring a site that has been the victim of one (or more) attacks.

This type of service applies to different content management systems, including: WordPress, Drupal, Joomla, Prestashop, Magento, etc.