Application Security

FVC can perform application code review, a service that seeks to go beyond simple data analysis through code scanning tools. While our service offering fully complies with PCI DSS requirements, it is our approach and methodology that uniquely and systematically applies vulnerability detection with a real risk perspective that differentiates us from the competition. For this, we perform testing in phases.

Phase 1:

  • Identify the business objective of the application and its critical functionality

  • Identify key areas, assets, and technologies of the application environment

  • Analyze the surface of the environment input interface

  • Analyze the service and help define interface standards

  • Collaborate in defining user roles and responsibilities

  • Collaborate in creating security controls, access, management, data validations, transmission security, processing, and storage

  • Review the logical layer of the application (presentation, business, data, levels)

Phase 2: To protect your applications and underlying assets, it is imperative to identify all possible threats and categorize them. During this phase, FVC implements a methodology focused on maintaining system confidentiality, integrity, availability, and compliance with business requirements. Threats are always technology-independent and must be understood in the context of the application architecture, and this is what we review by validating how key stakeholders interact at all levels of application chaos. Thus, we can recommend process controls, reviews, classification, and validate risk exposure.

Phase 3: This phase is for technical review and execution of vulnerability testing, penetration, and exploitation of architectural components, their controls, and operations. FVC will perform penetration testing with multiple technical tools through script implementation, ticket testing, changes, stress testing, design flaws, technical flaws, and possible implementation flaws.

Phase 4: Reports and additional validations are part of the final phase. Each detected vulnerability will be identified with its solution, and once the client can remediate and correct, our technicians will test that the change is free of flaws. This continues until all final processes and final report delivery are exhausted.