Standard Application Security Verification

Aspect's "Standard" security verification is appropriate for almost any Internet-facing or intranet applications that are important to the business. Applications that provide important business functions, process sensitive information, or have privileged users should consider a Comprehensive Verification.

Over a decade of application security work, Aspect has evolved a unique hybrid verification methodology that has proven efficient and cost-effective across a diverse range of applications and industry sectors. Our reviews are efficient because we've integrated code review with automated code analysis, vulnerability scanning, and application penetration testing to allow us to use the most effective technique possible.

Our standard verification uses this hybrid verification approach, combining the strengths of automated scanning, manual code review, and manual penetration testing. This approach makes our reviews more comprehensive and more accurate than any other approach. Our state-of-the-art application security analysis, testing, and reporting workbench allows us to keep costs down while providing very high quality.

Aspect has unparalleled experience verifying the security of the code for complex enterprise applications. We verify millions of lines of code every month across a wide range of platforms and frameworks. Over many years, we have tuned our process to be extremely efficient and effective. Aspect has deep experience with virtually all modern software environments and frameworks, including Java, .NET, C/C++, ASP, ColdFusion, Oracle, Struts, Spring, Ajax, RIA, and many more.

In some cases, access to the source code or the running application is not possible. We can still verify these applications using the available techniques, and the cost is the same. If you didn't develop the code yourself, we are happy to work with your software provider.

The standard verification checks that all the major security controls are in place and that they have been used properly, including authentication, access control, input validation, output escaping, encryption, data protection, error handling, logging, and back-end communications. Aspect covers all of the OWASP Top Ten vulnerability areas and meets the PCI DSS compliance application security requirements.

Aspect's reports include a strategic executive summary, a clear scorecard, and detailed findings that can serve as evidence of application security due diligence and compliance. Each finding includes a full description of the risk, including the likelihood and impact of a successful exploit to the business. We also detail the procedure for reproducing the finding, as well as a detailed description of how to remediate the issue.