Unlike thin clients aka web application security testing, vulnerability assessment of the client-server applications (so called thick or fat clients) is frequently overlooked. The industry underestimates the importance of thick client application security testing leaving all the related concerns in the responsibility of the software publishers.
Apriorit provides independent expert vulnerability audit and penetration testing services for the thick client applications assisting both vendors in building truly protected software and big software buyers in incorporating only reliable solutions into their secure environment.
Apriorit Security Audit Approach
Being generally more complicated and customized than web or mobile apps, thick client software needs specific approach when it comes to security audit.
Apriorit performs all types of security audit–white box and black box internal and external security testing. The team starts with research of the software system, potential targets and attackers and then builds a custom vulnerability assessment plan. After that manual thick client application penetration testing is performed.
Dealing mostly with the modern 3-tier architectures, our experts thoroughly test all three main solution components (application user interface, application server, database server). Typical security assessment plan is based on these main points:
- Analysis of the configuration
- Analysis of the installation packages and system utilities/data
- Communication analysis
- Server security testing
- Client security testing
During black box testing, Apriorit experts perform reverse engineering attempts to see how it can be easy to reconstruct the main solution functioning scheme and also steal its code.
White box security testing include architecture and code review to detect possible insecure programming issues and potential security breaches.
Standards and Deliverables
In our vulnerability assessment and penetration testing, we rely on our broad experience of security development projects as well as industry best practices, techniques, and tips, such as those provided by OWASP.
At each stage of the project, we intensively communicate with the client. Final results include detailed analysis report, detected vulnerabilities list, prioritization and actionable recommendations on the risk prevention or mitigation. Optional prototyping and implementation are also available.