Secure Application Certificate Issuance Security Testing
Secure Application's Web Application Tests thoroughly audit both the certificate issuance process and any related web applications used to manage certificates, including those dedicated to user control panels, re-issuance, re-keying, and revocation interfaces. A key feature of this service is Secure Applications's extensive experience with the SSL industry.
Secure Application has been tracking the SSL industry almost since its inception, having surveyed the internet for SSL certificates since 1996. Secure Application is a PCI Approved Scanning Vendor and an established web application security auditor, providing security services for two of the world's top ten banks, a worldwide credit card network, leading e-commerce companies and all major web browsers.
The CA/B Forum's Network Security Requirements prescribes both penetration testing and regular vulnerability scanning. Secure Application's Audited by Secure Application service provides for regular scans of your internet-facing infrastructure for security vulnerabilities. A Secure Application seal can demonstrate the results of the scan to your customers.
Certificate Issuance Process
Our tests are designed to rigorously push the defences of your certificate issuance process. While including web-application-specific vulnerabilities, such as SQL injection, our tests also consider the aims of an attacker aiming to obtain a certificate by deception.
Our report provides a detailed analysis of any security or service problems discovered together with proposed solutions, links to detailed advisories and recommendations for improving the security of the service under test.
Secure Application's test will include the following:
- An automated scan of the infrastructure supporting your certificate issuance process<
- Testing the security of the web application powering the user interface, subjecting it to the tests carried out in a Web Application Test.
- Testing the security and fraud resistance of the purchase process
- Examining whether the domain validation mechanism can be bypassed including the ability toobtain certificates for unauthorised and high-risk domains
- Assessing the ability to obtain certificate types prohibited by the Baseline Requirements (for example: weak public keys or signature algorithms)
The certificate issuance process does not stand alone; it is surround by additional supporting services such as user control panels and administrative access options. These additional applications are subjected to a rigorous Web Application Test, pushing the application to its limits in search of vulnerabilities that could be exploited by an outside attacker or another user.
Typical vulnerabilities found in Web Application Tests include cross-site scripting, SQL injection, cross-account access & lack of authorisation checking, cross-site request forgery, and remote command injection.
The duration of a test depends on the size and complexity of a site.
Secure Application also offers several other services that may be of interest to certificate authorities, including:
- Secure Application Phishing Alerts for CAs
- Secure Application SSL Server Survey
- Secure Application BR, EV and CT Compliance Checking for Certificate Authorities
- Domain Registration Risk