All of our web application security testing is performed by PenTesters with a minimum of five (5) years of experience.
Web application security assessments cover all categories within the Open Web Application Security Project (OWASP) as well as various National Institute of Standards & Technologies (NIST) frameworks.
How Can You Prepare?
Before your web application security testing kicks-off, we will need the following;
One (1) user account at each role
Two “standard” user accounts (authorization and session management tests)
Any data required for input fields and workflows
Scope, what are we testing and is there anything you do not want tested?
Testing should ideally be done in a lower (dev, qa, etc) environment with a separate DBMS. However, we do often test in production environments.
* Authenticated web application penetration testing and vulnerability assessments will be given five (5) days for testing, analysis, and reporting.
* * Unauthenticated web apps don’t typically take as long and will be given three (3) days unless noted otherwise.
Include but are not limited to;
Cross site request forgery
Reconnaissance, mapping, and Information Leakage
SQL injection attacks
Encryption, analysis of cipher suites, and configuration
Timeline for Vulnerability Assessment
Prior to Testing
Exchange information and ensure the testing environment is ready.
Walk-through/Demo the application
Opportunity for both sides to ask questions.
An email will be sent letting the appropriate stakeholders know that testing has begun!
Days One - Five
Finally! Penetration testing is in full swing.
Now your assigned PenTester(s) are working through all OWASP categories, starting with mapping the application architecture, identifying entry points, and looking for information leakage to use throughout the vulnerability assessment.
Final Day of Testing
Once active testing has concluded, we will move into the validation, documentation, analysis, and report writing phase.
Final Day of Testing
Completion of Vulnerability Assessment
The report writing is now finished (passed QA review) and delivered via encrypted email.
Once the report have been reviewed, an opportunity will be given for your team to ask questions.
** Always feel free to reach-out after the engagement!