From mobile to web to desktop, attackers love to target applications. We find vulnerabilities in your applications and help you fix them before they are exposed to malicious attackers.
Our success stories feature real-world security scenarios. You’ll discover varied approaches adopted by your peers in partnering with Bishop Fox, and how our application security services helped organizations, large and small, across an array of industries assess, identify, and minimize risks.
Building a Healthy Security Program
When Zephyr Health needed help keeping sensitive data secure, they turned to Bishop Fox
Application Penetration Testing
At Bishop Fox, our consultants identify application security vulnerabilities by simulating the real-world threat of an attacker attempting to exploit a target application. These zero- or full-knowledge assessments begin with manual crawls and footprinting of the application. Next, the team conducts vulnerability scans with automated tools and then the findings are manually verified. Finally, the team performs further manual identification and exploitation of application vulnerabilities in an attempt to gain access to the application functionality, sensitive information, and the underlying application infrastructure.
Hybrid Application Assessment
Our hybrid application assessment methodology leverages the real-world attack techniques of application penetration testing in combination with targeted source code review to thoroughly identify application security vulnerabilities. These full knowledge assessments begin with automated scans of the deployed application and application source code. Next, analyses of the scan results are combined with a manual review to thoroughly identify potential application security vulnerabilities. In addition, the team performs a review of the application architecture and business logic to locate any design level issues. Finally, the team performs manual exploitation and review of these issues to validate the findings.
Mobile Application Assessment
Bishop Fox consultants identify security vulnerabilities by simulating the real-world threat of an attacker attempting to exploit a target application on an iPhone or iPad. The assessment examines key areas including the application run time, network services, data storage, and cloud integration. Each assessment is tailored to the specific environment in which the target application is to be deployed, from consumers to enterprise BYOD.
The assessment team combines automated binary analysis with manual on-device penetration testing of the target app, during which the team employs several open-source hacking tools in addition to Bishop Fox’s proprietary iOS assessment toolchain. Source code analysis is highly complementary to this process and forms part of the preferred approach to security reviews of iOS applications.
Bishop Fox’s mobile application assessment methodology identifies security weaknesses in Android applications. The assessment team uses both industry-standard and internally developed tools in conjunction with expert-guided testing techniques to locate Android application security deficiencies. After identifying vulnerabilities, the team moves on to manual exploitation of the catalogued weaknesses with the intent to compromise sensitive data, credentials, client devices and back-end servers. The assessment concludes with the detailed reporting of all security issues discovered within the target environment alongside comprehensive remediation recommendations and steps
Source Code Review
Source code reviews provide exceptional value by leveraging the automated and manual analysis techniques in a targeted fashion to thoroughly identify security vulnerabilities within application source code. These full-knowledge assessments begin with automated scanning of the application source code. Next, analyses of the scan results are combined with manual reviews to thoroughly identify potential application security vulnerabilities. Additionally, the team performs a review of the application architecture and business logic to locate any design level issues. Where possible, the team performs a manual exploitation and review of these issues to validate the findings.