Verification Techniques
Application Security Vulnerability Scanning
Aspect uses vulnerability scanning tools, both commercial and proprietary, as a part of our application verification process. Vulnerability scanning is one part of our hybrid approach to application verification. Combined with code review and security testing, our approach is more cost-effective and accurate than any other approach. We tailor scanning tools in order to get a high-quality scan, and then carefully diagnose, consolidate, and verify all of the automatically generated data.
Vulnerability scanning tools explore applications and use databases of signatures to attempt to identify weaknesses. These tools can be leveraged to find instances of XSS, CSRF, SQL Injection, unprotected directories, open ports, etc. Once the tools have been trained to understand the security controls in an application, they can be used to verify many more advanced security areas as well.
Our analysts take the data produced by vulnerability scanning tools and evaluate it carefully to identify false positives and duplicate findings. In many cases, the exact significance of a data point is unclear without further analysis and understanding of the application's architecture, patterns, and frameworks. This analysis is combined with the other verification techniques and enhanced with risk information to produce a complete and accurate security review.
Aspect has deep experience with virtually all modern software environments and frameworks, including Java, .NET, C/C++, ASP, ColdFusion, Oracle, Struts, Spring, Ajax, RIA, and many more. Even if you didn't develop the code yourself, we are happy to work with your software provider.
Aspect's Standard Verification and Comprehensive Verification both leverage vulnerability scanning in addition to code review and manual testing. This combined approach allows us to provide the most cost-effective verification solution available anywhere.