Security in Integrated Circuit 
Company 
Blog
Contact us
eShard
/
Backend And Webapp

Risk Management in Backend Systems, APIs and Web Applications

Going digital goes hand in hand with new threats and risks, and requires protections of your assets and systems. Identification and implementation of the right protections is a daunting task. But the journey does not stop here: you need to check and verify that the protections are effective and working as expected. But how to manage this?
Contact an expert

Control your digital risks

Every risk management strategy should emphasise regular security testing of all critical systems: customer facing systems (e.g. mobile apps or IoT devices) as well as connected backend systems, including network components, operating systems, web applications and APIs.

This is necessary to monitor the constantly changing threat landscape and digital risks.

esChecker-MAST

How to perform regular security testing?

Modern development methodologies (e.g. agile, DevOps aim to integrate automated security testing into the CI/CD tool chain in order to maintain a baseline of security.

It is widely acknowledged that tools contribute to the security process by assisting security experts in their tasks. However, it is important to understand what tools can deliver and what they cannot deliver. And to avoid incorrect use or misinterpretation of results. (see e.g.: OWASP Web Security Testing Guide)

Orchestration of an effective and efficient security testing program, and finding the right balance between automated and manual testing requires expertise and experiences.

Benefits of manual penetration testing

Manual security testing includes preventive activities like threat modelling, source code reviews, inspections and reviews, all with a focus on identification of vulnerabilities at the early stage of the development lifecycle. Contrary to this, manual penetration testing focuses on the very end of the life cycle: the release candidate and its environment to be deployed in.

Note that only the final release candidate includes all third-party libraries and components on which it depends. And, only the execution environment will contain the results of a misconfigured and erroneous tool used, which can add an exploitable vulnerability. The release candidate in its environment will be your interface to your users and the first line of defence which will be targeted by adversaries.

Therefore, penetration tests play an important role in security testing programs and management of the digital risks.

Penetration testing starts where automated tools end

Every automated tool has its strengths but also some limitations. The tester should be well aware of what a tool does, what it does not, or what it cannot provide.

Manual penetration testing of backend systems, APIs and web applications continue where automated static, dynamic or interactive tools end: they add the human layer and allow them to think like a creative, experienced attacker.

Our penetration testing team uses its knowledge, experiences and expertise and specialised tools to identify vulnerabilities and develop attack paths that allows gaining access to the assets and data processed in the target systems, network, web application or API.

When to perform a manual penetration test?

Since manual penetration testing is a time-consuming activity and requires expertise, eShard recommends performing backend, API and web application penetration tests as a complement to automated security testing.

It is good practice in various industries to perform penetration tests of critical systems regularly, e.g. once a year, and after any significant change, e.g. after major redesign, adding of new functionality or introduction of new tools.

Real-life testing

It is the objective of the penetration test to determine the risks and resistance of the systems against real-life attacks.

For this, eShard research team keeps track of the latest attack techniques and tools which enables us to simulate state-of-the-art attackers.

Key success factors

First step and key to successful penetration testing is the definition of the right scope. Without, the project may ignore critical components or include non critical components so that the test results in waste of efforts, time and money, or limitation of relevance of results.

Make sure that the pentest is following a recognized procedure, and that the report is complete and consistent with the procedure.

To ensure the quality of our services, eShard delivers penetration testing projects using the recognized PMI PMBOK® project management methodology. We make sure that your pentest project meets your requirements, is delivered in time, and meets the agreed budget.

Compliance requirements

eShard provides backend, API and web application penetration testing services customised to your needs and expectations. For this, we will take any specific requirements into account like e.g.:

  • Industry and third party requirements (e.g. PCI DSS and other PCI standards, EMVCo, American Express, Mastercard and Visa requirements),
  • Best practices (e.g. OWASP Web Security Testing Guide, OWASP API Security Top 10, NIST SP800-53 or SP800-115, BSI Guidance on Penetration Testing, MITRE ATT&CK, PCI Penetration Testing Guidance),
  • Legal requirements (e.g. GDPR) or industry-specific regulation and recommendations (e.g. PSD2 or EBA Guidelines on ICT and security risk management in the financial sector)
  • your own or your business partner’s requirements.

Training tools

Ecosystems move fast, so do the cybersecurity challenges. Your team must remain up-to-date and master the last security threats because your business and your customers are at stake.
Advanced
Introduction to P-Code and GHIDRA SLEIGH
Coach: Tiana Razafindralambo
If one had to reverse engineer a custom assembly code, being able to disassemble and decompile the code into a more comprehensive code brings the ability to review it. This module focuses on the reverse engineering tool: GHIDRA and its language specification, SLEIGH. The aim of this module is to show how to implement a custom processor to get the ability to decompile and perform further analysis of a code with GHIDRA.
See more details
Intermediate
Code instrumentation with FRIDA
Coach: Tiana Razafindralambo
Code instrumentation is a dynamic analysis technique that aims at controlling the behavior of the application's code. With this ability, one can passively intercept data transiting between functions or modify the code of a whole function. FRIDA is the swiss army knife of code instrumentation frameworks, and this module will teach you how to use it to reverse engineer mobile applications.
Intermediate
Dynamic Analysis of an Android application
Coach: Tiana Razafindralambo
This modules focuses on dynamic analysis techniques. It is split in two parts: the first one is focused on tools and techniques that can be used for the Java code, and the second one for the native code. Trainees will learn how to debug an application using different alternatives, and also how to instrument the code using FRIDA.

Interested?

Contact us

Blog Articles

Software Security

D810: A journey into control flow unflattening

25 min read
Edit by Batteaux Boris Oct 21, 2021
© eShard 2021. All rights reserved
Privacy policy | Legal Notice
Bâtiment GIENAH
11 avenue de Canteranne
33600 Pessac
France
eShard Nudge
7 rue Gaston de Flotte
13012 Marseille
France
eShard GmbH
Beethovenallee 21
53173 Bonn
Germany
Paya Lebar Quarter
#04-01 Paya Lebar Link
408533
Singapore