Application security testing
Web applications are a weak point of current IT systems. This results from the fact that problems connected with application security are seriously underestimated. Another reason is a lack of standards for development of safe software. What’s more, applications constitute an attractive target full of business information.
One of the solutions allowing to reduce the risk of losing data or reputation is checking the security of your applications before somebody unauthorised does that. As the first step we propose security tests and assessment. The aim of these tests is to identify an application’s vulnerabilities to potential attacks and to find any gaps that could be used for gaining access to valuable information.
Penetration tests
Basic security tests, also referred to as penetration tests, involve controlled attempts to break the security controls of a given application. They should be performed before the application is implemented but, as far as it is possible, after its functionality and efficiency have been tested.
Source code review
Extended security tests include a review of the application’s source code. This method allows for a more thorough verification of hypotheses and assumptions resulting from penetration tests. Access to source code is, however, not always possible, which makes it impossible to run such extended security tests.
Security assessment
If an opinion on an application’s security is also necessary, it is worthwhile to extend the tests with an assessment of the security methods applied. This allows not only to indentify shortcomings but also to perform a thorough appraisal of security controls. This assessment is prepared on the basis of OWASP ASVS (Application Security Verification Standard). The resulting report presents an opinion on around a dozen on key security aspects defined in the standard and is tailored to the characteristics of the assessed application.