What is it?
Web Application Testing is a comprehensive assessment of your web applications following the Open Web Application Security Project (OWASP) Top 10 testing methodology. The assessment can be carried out from the following perspectives:
Black Box Assessment: Taking on the position of an anonymous malicious threat actor, the penetration tester is provided only the URL of the application. If there is a signup or registration element to the application this can also be included in the scope of work.
Grey Box Assessment: Representing a threat to the application from an authorized user, the penetration tester is provided with access to the application, but no information on its architecture, user base, or the technologies used.
White Box Assessment: The penetration tester is provided with access to the application, full details of its architecture, user rights assignment and the technologies used to build it.
What configuration is reviewed?
The Web Application Testing methodology focuses on the following areas of application security:
- Input validation
- Session management
- Encryption mechanisms and security for data in transit and at rest
- Information leakage
- Access control
- Functional flaws
- Third party libraries and components
- Administration access
What is the output from this assessment?
A full technical report will include the following:
- Executive Summary: Explanation of the vulnerabilities encountered, the risk they pose to your organization, whether the objective was completed and recommendations of any remedial action that should be taken
- Summary of Findings: A table of all vulnerabilities noted during the assessment, the vulnerability title, its risk rating, and the vulnerability’s current state
- Detailed Findings:
- The vulnerability’s risk rating
- The system, URL or process that contains the vulnerability
- How the vulnerability was exploited?
- The risk posed to the organisation
- Full technical details of how to replicate the vulnerability
- Remediation advice
- Appendices: Vulnerability output that was noted in the engagement
When evaluating the overall risk rating for each vulnerability, the following factors will be considered:
- Impact: the impact that exploitation of this vulnerability will have on the business or organization
- Risk – the risk posed to the organization if this vulnerability is exploited
- Likelihood: the likelihood that this vulnerability could be exploited
Each vulnerability will have a remediation recommendation, which will include either:
- An official fix, such as a firmware upgrade for hardware or a patch for a publicly disclosed vulnerability
- When there is no official fix, a workaround can be used
- Process improvement for when exploitation of vulnerability is caused by a business process