MWR InfoSecurity - Application Security Testing: Case Study

Home

Services

Publications

Application Security Testing:

Overview

The Business Case

The Case Study

Application Security Testing:
Case Study

Business overview

Golfbreaks.com are the UK 's largest specialist golf booking service. They organise tailor-made golf breaks and golf days at over 350 venues throughout the UK and Europe. Golfbreaks.com's web presence is central to their continued success both as a point of contact and as comprehensive catalogue and inventory of services.

Background

As Golfbreaks.com are heavily reliant on the integrity of their client and CRM data they needed to know that their web facing infrastructure was secure. The reasons are two fold:

Mitigating business risk from data corruption/loss

Legislative and regulatory compliance

MWR InfoSecurity were contracted to test web facing systems and infrastructure. This was the first time Golfbreaks.com had employed a third party security firm, so speed of response and accessibility were key to their requirement.

In order to roll-out any transactional components within their website Golfbreaks.com needed the assurance that the underlying infrastructure was secure and could support future online payment mechanisms.

Details of service delivered

Various key servers were tested for vulnerabilities and possible exploitable services and systems.

Application Security Test

Un-validated Input

Broken Access Control

Broken Authentication and session management

Cross Site Scripting (XSS) Flaws

Buffer overflows

Injection flaws

Improper Error Handling

Insecure Storage

Denial of Service

Insecure Configuration Management

Penetration Test

Firewall Testing

Network Surveying

Password Cracking

Port Scanning

Privacy Review

Router Testing

Systems and Services Identification

Vulnerability Testing & Research

A full report was delivered 3 days after the conclusion of the test via SSL secure download. Full support, and direct telephone access to the testing team was provided during the test to discuss the issues raised and advise on tactics for tackling them.

Expectations

Based on sample reporting and recommendations Golfbreaks.com's expectations of MWR InfoSecurity testing were high. The key expectation was that after testing and remediation they would have a secure central database and surrounding systems. These would be hardened to attack yet still accessible and easily maintained.

Golfbreaks.com demanded timely backup and support which would facilitate any remedial work. They also needed to have access to technically insightful people who could communicate effectively in plain English.

Problems solved / Outcomes

Heightened application security

Increased confidence in database security and integrity

Secure foundation for future e-payment implementation

Compliance with related legislation

Testimonial

"MWR InfoSecurity were helpful from the start, they provided us with an example of the type report we could expect, kept us appraised of what was going on at all times and subsequently have been very helpful with the small (but technical) amount of remedial configuration work required."

Gary Smith
IT Manager
2005-04-07

"Before we could launch the Golfbreaks.com membership and loyalty scheme we needed to be sure that the new member area of our website was 100% secure. MWR InfoSecurity were able to provide this service, and after three days of testing and a full report analysing all areas of our website we are now confident that our website is secure. The service that MWR InfoSecurity provided was very thorough and professional and I would recommend them to other companies for whom website security is essential for their business."

Guy Proddow
Director
2005-04-08

home services news about us contact recruitment sitemap

MWR InfoSecurity St Clement House Alencon Link Basingstoke Hants RG21 7SB
Tel: 01256 300920 Fax: 01256 844083