A security assessment of your Windows, macOS or UNIX application ensures that it has been securely designed and that it does not contain vulnerabilities that may affect the security of the application or the data handled by it.
Desktop applications can pose a unique set of security and data protection risks if not correctly designed and secured. Sensitive data may be held (albeit temporarily) on the desktop computer which is less secure than the back-end database servers and could be compromised if an end users workstation is accessed or stolen. Physical access to desktop devices is generally easier to achieve in office environments and if the device is left unlocked or unattended an unauthorised individual could access or change data within the application.
Our Desktop Application Security Assessment will consider both the technical security measures within the software and the design features of the overall architecture to ensure that data is secure from theft, interception or tampering when stored and processed on an end users workstation and when the application communicates with other services or APIs. We will also validate that a malicious user cannot abuse the application to gain privileged access to the underlying operating system and that application users can only perform the actions to which they have been granted permission.
Methodology
Using a range of specialised tools and manual testing, a review will be conducted of the desktop application. The purpose of this assessment is to identify ways in which a malicious user, who has access to the application, may be able to comprise key areas of the application to compromise sensitive information. An assessment will also be made during the runtime of the application, to assess if it is possible to use any of the application functionality to escalate privileges within the operating system of the workstation on which it has been installed.
As part of the overall testing methodology, the follow areas of the application will be assessed:
Authentication
The authentication components of the application will be assessed to identify ways in which these may be bypassed by an attacker. Automated testing such as brute-force password guessing attacks will be attempted against the authentication prompt, while manual code injection testing will be conducted to identify ways in which the authentication may be bypassed altogether through parameter tampering and injecting malicious code into the application.
Role Based Access Control (RBAC)
If multiple user roles are present in the application, testing will be conducted to ensure that users are unable to escalate their privileges either “horizontally” or “vertically”. Horizontal privilege escalation vulnerabilities could allow a user to access the data of other users, whereas a vertical privilege escalation vulnerability could allow a lower-privileged user to access functionality that should only be available to an administrator.
Binary Executable Decompilation
During the assessment, an attempt will be made to decompile all executable files with the intention of identifying ways in which the underlying code may be circumvented or to identify sensitive information that may be hard-coded.
Checks will be made to identify sensitive information that may be hard-coded in the application source code. Typical hard-coded information which may be considered sensitive, includes passwords, database connection strings and PKI certificates – all of which could be useful to an attacker.
Specific tests will be conducted to identify ways in which the underlying code may be modified to benefit an attacker, this could include enabling functionality which should not normally be available (for example enabling an “engineering mode”) or enabling features that are protected by a software license restriction.
In-Memory Analysis
The memory process-space that is used by the application will be examined using an in-memory debugging tool to identify weaknesses that may only be present during the application run-time. This is crucial in identifying attack vectors which may allow an attacker to inject malicious code into the Windows process as a way of furthering their attack using exploit code.
Network Traffic Analysis
The network traffic that is sent between the application and server will be closely examined to ensure that it cannot be intercepted or modified in transit. Checks will be made to ensure that the network data is securely-encrypted and that it is not possible to obtain sensitive information from the network traffic or inject malicious code into it to modify the applications behaviour.
Code Injection
Code injection testing will be performed on all entry points to the application to identify ways in which an attacker could inject malicious code. Depending on the application architecture, this could include SQL injection testing if the application relies on a back-end database or command injection testing in an attempt to execute operating system-level commands on the application server on which the application resides.
Local Data Caching
The application behaviour will be closely monitored during runtime to identify if sensitive data is being cached locally or logged on the hard drive of the end user’s workstation. If data is being cached, the data will be examined to ensure that it has been encrypted or anonymised to the point where it is not useful to an attacker who has been able to obtain local access to an end user’s workstation.
Application & Service Permissions
The application and any associated services will be examined to identify the permissions that they have within the operating system. Specific checks will be made to identify the level of access that an attacker would have to the operating system if they have been able to compromise the application.
File Permissions
The file permissions of all files associated with the application will be examined. The purpose of this examination is to identify if an attacker would be able to tamper with the application executable, log files or library files that may allow them to modify the behaviour of the application.
Digital Code Signing
The application executable and all associated plugins and Dynamically Linked Libraries (DLL) files will be examined to ensure they have been digitally-signed to ensure that they cannot be tampered with by a malicious user.
Certificate & Key Management
If the application uses encryption for data or network traffic, specific checks will be made around how the encryption keys and certificates are stored and managed by the application. This is to ensure that the keys or certificates cannot be stolen or forged by a malicious user and then used to circumvent the encryption that is in use by the application.
3rd Party Libraries & Plugins
An assessment will be conducted on all visible 3rd party plugins and libraries that are used by the application. Checks will be made to ensure that these 3rd party plugins and libraries are up-to-date, and that no publicly-available exploit code exists for them that may impact the overall security of the application.
Source code analysis
If the source code for the application is available, we can also perform automated analysis in order to identify vulnerabilities that could be exploited.
Prerequisites
- A signed and completed testing consent form
- A copy of the compiled application
- A copy of the application source code in a working development environment if you would like the source code analysed for vulnerabilities.
- Access to any API or back end services the application requires
Deliverables
Engaging with SecureTeam for your Desktop Application Security Assessment will provide you with the following:
In-flight Support
Prior to your test commencing, our consultant(s) will discuss the scope of work with you, so that a full understanding is obtained of what your application is used for, and any services it connects to – either in your network or over the Internet. This not only allows the test to run more efficiently, but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.
During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your application or infrastructure and any evidence in our results that indicates a security breach may have already taken place.
Reporting
Once the application assessment has been completed, you will be provided with the following:
Comprehensive Technical Report
Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities are explained to a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.
Technical References
Where applicable, we provide additional reference URLs for each vulnerability, so that further information and mitigation advice can be obtained from reputable sources of technical information.
Risk-Based Approach with CVSS Scoring
A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.
Secure & Encrypted Report Delivery
Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure file delivery mechanism. All test reports are encrypted using AES-256 encryption and are secured with a strong, randomly-generated password which is delivered ‘out-of-band’ to you via SMS. The encrypted file is then delivered to you through an encrypted & expiring URL link – allowing you to download the test report securely to your workstation.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
We pride ourselves in partnering with our customers to provide adhoc security advice and to ensure that our engagement with you doesn’t simply end once the final report has been delivered.
We are committed to ensuring that you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.
Conference Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
A conference call is suitable for both management and technical staff. It provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders the technical staff who will be tasked with applying the recommended course of action.
Find out more
If you'd like to find out more about our services or would like us to provide you with a quotation, please fill out the following form and one of our team will get in touch with you.