iSEC will perform automated and manual security testing during each cycle. The following attacks will be performed:

• Automated testing using iSEC’s SecurityQA Toolbar
  • QA Tests (Non-Exhaustive List)
    • Cross Site Scripting
    • SQL Injection
    • ActiveX Security
    • Server Side Includes Injection
    • Forced Browsing
    • Format Strings
    • LDAP Injection
    • Response Splitting
    • OS Commanding
    • XSS/SQL Internationalization Attacks
    • XSS/SQL Transformation Attacks
    • Web Services
      • XPath Injection
      • XQuery Injection
      • XML Injection
    • Directory Traversal
    • SSL Cipher Strength Analysis
    • Cookie Analysis
    • HTTP Method Analysis
  • Manual testing using iSEC consultants
    • Business Logic Issues
      • Inappropriate access to sensitive and/or private information
      • Unauthorized changes using existing application functionality
      • Bypass business logic rules around account activity
    • Cross Site Request Forgery
    • Adobe Flash Attacks
    • Concurrency Attacks
    • Session Management (Subversion, Predictability, Timeouts/Logouts)
    • Username/Password Recovery
    • Data Leakage
    • Blind SQL Injection