Penetration tests of desktop applications
Your key applications deserve to be secure. We bring you desktop application security solutions to help you maintain customer trust and protect your sensitive data.
Penetration testing of desktop applications
They are quite specific compared to web application penetration tests in many respects. They require comprehensive knowledge of secure authentication, access authorization and working with sensitive data, as well as a deep knowledge of programming languages including assembly language, dissembler, debugger with direct use of opcodes. The result is a verification that the application is secure, suitable for production deployment, and does not suffer from any obvious security weaknesses that could pose a direct security risk to the application, its users, and the data itself.
The following is a more detailed list of areas that tend to be critical from a desktop application security perspective, based on our long-term experience. This is not a complete list, but it does give a clearer idea of the scope and complexity of penetration testing for desktop applications, whether it is your own solution you are developing or a third-party solution you are about to deploy in your environment. We're happy to help and advice you with your security solution.
Source Code Analysis
A combination of static analysis using automated tools and manual code review,
JAVA, C#, or other languages on request.
Critical areas of security
- The application stores sensitive data in unencrypted form,
- The files created are assigned high access rights,
- Insufficient server-side input control,
- Communication gateway vulnerabilities
- Possible DoS tests of the communication gateway,
- Sensitive data is sent over an unencrypted communication channel,
- SSL/TLS weaknesses (versions, algorithms, key lengths, certificate validity),
- Proprietary communication protocol is used,
- Weaknesses in mutual authentication of the channel,
- Long timeouts waiting for server response,
- Insufficient control of client inputs,
- Possibilities to bypass the authentication scheme,
- Lack of use of multi-factor authentication,
- Possibilities of brute-force attack on authentication data,
- Weak password policy,
- Executable files that are not signed,
- Session tokens are not generated with sufficient entropy,
- Long user session duration,
- Lack of automatic logout on inactivity,
- Sensitive information stored in cache memory,
- Storing sensitive information in log files,
- Cryptography used in data storage that is not secure,
- Executable code contains sensitive data,
- Sensitive business logic contained in the program,
- Developer comments in program files,
- No code obfuscators are used,
- Sensitive data in memory,
- Application business logic flaws.
Benefits
- We are one of the most established market leaders.
- We have extensive experience in the field of desktop application security.
- Our team consists of specialists with experience from hundreds of sub-projects.
- We are holders of eMAPT, CISSP, OSCP, OSCE, CEH and many other supporting certifications.
- We run our own hacking lab for research in a number of areas dealing with the security of various solutions.
- We listen to our clients and tailor tests to their relevant needs and time constraints.
- We follow modern trends in desktop application security.
- We emphasize a manual approach to testing, which leads to the discovery of more vulnerabilities, especially in the business logic of applications, compared to automated tools.
DO NOT HESITATE TO
CONTACT US
Are you interested in more information or an offer for your specific situation?