Foundation Services

Implementation Services

Verification Services

• Application Security Review
• Standard Verification
• Comprehensive Verification
• Architecture Review

Managment Services

Training Services

Verification Techniques

• Code Review
• Penetration Testing
• Threat Modeling
• Static Analysis
• Vulnerability Scanning

Comprehensive Application Security Verification

Aspect's "Comprehensive" security verification is appropriate for Internet-facing or intranet applications that are critical to the business, provide special functions, or that process sensitive information. For less-sensitive applications, you should consider a Security Review or a Standard Verification.

Over a decade of application security work, Aspect has evolved a unique hybrid verification methodology that has proven efficient and cost-effective across a diverse range of applications and industry sectors. Our reviews are efficient because we've integrated code review with automated code analysis, vulnerability scanning, and application penetration testing to allow us to use the most effective technique possible.

Our comprehensive verification uses this hybrid verification approach, combining the strengths of automated scanning, manual code review, and manual penetration testing. This approach makes our reviews more comprehensive and more accurate than any other approach. Our state-of-the-art application security analysis, testing, and reporting workbench allows us to keep costs down while providing very high quality.

Aspect has unparalleled experience verifying the security of the code for complex enterprise applications. We verify millions of lines of code every month across a wide range of platforms and frameworks. Over many years, we have tuned our process to be extremely efficient and effective. Aspect has deep experience with virtually all modern software environments and frameworks, including Java, .NET, C/C++, ASP, ColdFusion, Oracle, Struts, Spring, Ajax, RIA, and many more.

In some cases, access to the source code or the running application is not possible. We can still verify these applications using the available techniques, and the cost is the same. If you didn't develop the code yourself, we are happy to work with your software provider.

The comprehensive verification provides evidence that all the major security controls are in place and that they have been used properly throughout the application, including authentication, access control, input validation, output escaping, encryption, data protection, error handling, logging, and back-end communications. Aspect covers all of the OWASP Top Ten vulnerabilities and many additional areas. In addition, we satisfy the PCI DSS compliance application security requirements.

Aspect's reports include a strategic executive summary, a clear scorecard, and detailed findings that can serve as evidence of application security due diligence and compliance. Each finding includes a full description of the risk, including the likelihood and impact of a successful exploit to the business. We also detail the procedure for reproducing the finding, as well as a detailed description of how to remediate the issue.