DeploySafe For Web Applications

DeploySafe

For Web Applications

Matasano restores control over internal application security by rigorously and efficiently assessing web applications. We uncover flaws, document and prioritize them, and work with developers to fix them fast.

Learn More

Why Our Clients Assess Their Web Apps

  • Acceptance testing before applications are exposed enterprise-wide, or on DMZs and partner-networks. Assessments minimize risk, reducing exposure to vulnerabilities and remediating problems when they are least costly to fix.

  • Verifying outsourced development to restore control over security when the owners and operators of an application aren’t in full control over its development.

  • Third party inspection to document security controls to partners and customers and establish security as a competitive advantage.

Our Process

We tailor our engagements to the needs of our customers. We “get it”: every member of our team has published security research, and every members has shipped code. In a typical engagement, we:

  1. Collaborate with you to establish rules of engagement, a statement of work, and milestones for your project.

  2. Research the target application, its documentation, and its deployment environment. Where source code or decompilable binaries are available, we’ll make use of them to speed up testing.

  3. Exercise the target application, recording HTTP transactions for analysis.

  4. Verify best practice compliance for the specific deployment environments used by the application.

  5. Inspect each HTTP transaction individually, spotting logic flaws and subtle errors and building a map of the functionality of the application.

  6. Probe exposed functionality thoroughly, ensuring proper handling of malicious inputs.

  7. Report a matrix of findings, prioritized by severity, and recommend remediation steps.

  8. Resolve vulnerabilities by working with developers to generate effective fixes, and quickly repeating test cases to verify the fix.

What We’ll Find

  • Broken Access Control, Forced Browsing

  • Privilege Escalation

  • Authentication Bypass and Weak Session Management

  • Javascript Injection and Cross Site Scripting

  • Platform Vulnerabilities, Buffer and Integer Overflows

  • SQL Injection

  • Information Leakage and Error Handling

  • Weak Secret Storage

  • Denial of Service

Our Skill Profile

Matasano is an industry thought leader in vulnerability analysis. We have delivered web application assessments for hundreds of thousands of lines of production code, in environments including:

  • Java (J2EE/JSP/Struts/WebSphere/JBoss/Tomcat)

  • .NET (C#, ASP/ASP.NET, ADO, IIS, ActiveX)

  • LAMP (PHP, Perl, Python, Ruby)

  • SOA (SOAP, WS-Sec, XMLRPC, Middleware)

We’re fast. We’re flexible. We can start quickly and work in a variety of different engagement types to suit your needs. We don’t rely on automated scanners, we generate repeatable test cases, and provide thorough, clear, actionable results.

How To Engage Us

Contact us. If you have a project defined, we’ll quickly review it and give you time frames and availability. If you’re considering testing an application you already have, we’ll discuss it with you, and provide you background information that will help you secure your application whether you start a project or not.

Who We Are

Since 1994, Matasano researchers have had founding roles in the first security research labs, discovered new classes of vulnerabilities, secured operating systems, and shipped large software projects. We’ve been behind some of the first breaks in SAN technology, virtualization, and financial protocols. Our work has been featured in Network World, eWeek, Forbes, Macworld, Wired, and the Washington Post, and at conferences ranging from Black Hat to Gartner.