[Owasp-delhi] Thick client security testing

Venkatesh Jagannathan venki at owasp.org
Tue Aug 17 08:05:50 EDT 2010


Hi Padma Sriram Iyer,
    This actually depends on the type of application.

Is this a java applet kind of application? If so, you will not have to worry
about the "transport layer insecurities" because applet communication is
tunnelled. That makes it a little difficult. Also, if it runs on SSL, then
its a biot m,ore safer in terms of MITM attacks etc.

If this is going to be a desktop application or even an applest based
application look for these things:

0. Command Injection flaws (OS Injection, VM Injections etc)
1. Logic Flaws
2. Authentication & Authorization Flaws
3. Improper configurations
4. Single/Multi- Factor Authentication
5. Unsafe code execution
6. Memory Leaks
7. Race Conditions
8. De-compilable code
9. Untrusted execution
10. Compliance & Regulatory Laws being ignored if any

These are just some of the points that I could come up with. Thinking along
these lines could get you still many more ideas.

Thanks & Regards,
~Venk!
OWASP Chennai Chapter Lead



On Tue, Aug 17, 2010 at 10:11 AM, <padmasriramiyer at hsbc.co.in> wrote:

>
> Hi guys,
>
> Can anyone please guide me how to proceed with security testing of Java
> application i.e. a thick client?
>
>
> Best regards,
> *Padma Sriram Iyer*
> Senior Security Analyst
> GLT Information Security Risk
> HSBC Technology and Services - Global Technology
> _______________________________________________________________________
>
> Phone.     91 20 6642 2285
> Tieline.     71 91 20 2285
> Email.       *padmasriramiyer at hsbc.co.in* <padmasriramiyer at hsbc.co.in>
> _______________________________________________________________________
>
> ************************************************************
> HSBC Software Development (India) Pvt Ltd
> HSBC Center Riverside,West Avenue ,
> 25 B Kalyani Nagar Pune  411 006 INDIA
>
> Telephone: +91 20 26683000
> Fax: +91 20 26681030
> ************************************************************
>  -----------------------------------------
> ******************************************************************* This
> e-mail is confidential. It may also be legally privileged. If you are not
> the addressee you may not copy, forward, disclose or use any part of it. If
> you have received this message in error, please delete it and all copies
> from your system and notify the sender immediately by return e-mail.
> Internet communications cannot be guaranteed to be timely, secure, error or
> virus-free. The sender does not accept liability for any errors or
> omissions.
> ******************************************************************* "SAVE
> PAPER - THINK BEFORE YOU PRINT!"
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100817/b8842dd4/attachment-0001.html 


More information about the Owasp-delhi mailing list