The following is an overview of the Thick Application Penetration Test:
- Will evaluate the application for security vulnerabilities from the perspective of an authenticated user. If multiple user types exist, then will perform testing using each type. During the testing, manual and automated processes leverage commercial, open source, and proprietary software. All automated tests will be manually verified to minimize false positives.
- The penetration test will target common thick application attack vectors such as the file system, the registry, system memory, network communications, and graphical user interfaces.
Specific areas of focus will include, but are not limited to:
Static Analysis: During the static analysis phase of testing, will review the follow areas:
- Service account roles and permissions (client, application server, database server)
- Application file, folder, and registry permissions
- Application service, provider, WMI subscription, task, and other permissions
- Assembly compilation security flags
- Protection of data in transit
- Hardcoded sensitive data and authentication tokens (passwords, private keys, etc.)
- Hardcoded encryption material (keys, IVs, etc.)
- Use of insecure encryption and hashing algorithms
- Database user roles and permissions
- Database and server configurations
Dynamic Analysis: During the dynamic analysis phase of testing, will test and review the following areas:
- Authentication and authorization controls enforced on the client and server
- Application user roles and permissions
- Application workflow logic between GUI elements
- Web Services utilized by the application using web application testing methodology
- File system changes including file and folder creation, deletion, and modification
- Registry changes including creation, deletion, and modification of keys and values
- Application objects and information stored in memory during runtime
- Use of insecure encryption and hashing algorithms
- Network protocols utilized by the application (SMB, FTP, TFTP, etc.)
- Database connections
After identifying the strengths and weaknesses of the thick application(s) and Client's development and security program processes, will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. Will also collaborate with stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.
NoCode Developer | 3 Months | Outside IR35 £400 - 500 p/d | Remote
An opportunity for an experienced NoCode Developer to join a growing, innovative company within the environmental sector.
You will get complete autonomy of the full project that involves creating a platform that will go to a range of direct consumers.
Requirements:
- West Midlands based - can be 100% remote
- NoCode experience (Bubble, Zoho, Fliplet etc) (no preference on platform)
- Strong communication and leadership skills
Desirable:
- UX/UI skills/experience
- Figma
This is initially a 3 month contract but it is likely to be extended.
Apply now and don't miss out!
Oscar Associates (UK) Limited is acting as an Employment Business in relation to this vacancy.
To understand more about what we do with your data please review our privacy policy in the privacy section of the Oscar website.