Web applications are an attack surface to infiltrate your company, access confidential data and cause reputational damage to your company.

Typically, a company commissions a web app project and on completion of the project goes live. The application life development cycle goes through functional and load testing; but an application security test is not factored in. Some projects incorporate Secure Software Development Life Cycle (SSDLC) programs, but even if SSDLC is incorporated a manual Penetration test is expected at the end of the project before go live.

Dynamically Automated Security testing (DAST) tools are available to scan applications using fuzzing techniques to identify vulnerabilities. While these may identify the ‘low hanging fruits’ these typically cannot apply logic to identify the business logic flaws typically found in applications.  The automated tools reports typically contain many false positives and would require a tester to prove out any findings. A DAST scan is also performed to complement the manual scan and cover any areas that may be missed in the manual test.

A manual test would do scoping to identify the attack surface and replicate an attack to investigate the viability of such an attack. The attack would be concentrated on Business context attacks; such as lateral and vertical movement, ACL bypass etc. The test would also be addressing the vulnerabilities in the OWASP Top 10.

At the end of the test a comprehensive report is delivered; this contains an Executive summary, Technical summary and Detailed findings. The detailed findings are broken into the description of the vulnerability found, a risk rating based on CVSS 3.0 scoring, a detailed walk though on the findings and the evidence, the impact of the vulnerability and fixes / controls to address the issue.

Duration:

Typically 3-10 days of testing

Expected Outcome:

Detailed Report with findings from the test and remediations to address these vulnerabilities.