APP Security Testing
The goal of application security testing is to detect application vulnerabilities to potential attacks, or in other words – to find defects that could be exploited by intruders.
Security defects are an inherent part of the application development process. Just like any other error, they can be a result of an incorrect architecture, a developer’s mistake or an infrastructure configuration error. Security tests, as well as functional tests aim at detecting these defects, but security defects may have far greater impact than the functional ones. They are also much more difficult to detect and often require expert knowledge and experience. Moreover, security defects are beyond the application functionality assumed by its authors. That’s why security testing techniques are completely different from the functional ones. We offer security tests by applying the following methods:
– penetration testing – controlled security breach attempts that examine application functionality without peering into its internal structure (black box testing),
– code reviews (white box testing),
– grey box tests, which are a combination of the above techniques.
The ability to detect application security defects requires special knowledge and the combination of both hacker and developer skills.
Our process of security testing has been worked out during hundreds of cases to deliver solutions which are smooth and understandable for the client. Through nearly twenty years of experience, we have developed security testing techniques that allow us not only to detect security defects crucial for the overall system security but also to optimize dedicated time and the client’s budget. How is this possible?
1. We do not rely only on automated tools, because in case of application security, they are able to detect only basic vulnerabilities and they are not effective for all modern application development platforms and technologies. Execution of security testing consists of carefully selected, manual tests, closely imitating the attacker’s methods.
2. We are taking real risk into consideration. Before actual testing, we make analysis (threat modeling) and first we perform attack scenarios which have the biggest impact on the risk.
3. We help not only discover security problems but also fix them. The test report contains detailed and realistic recommendations on how to fix issues. We also offer support during the fixing phase in the form of consultations. We help contact software vendors if developed externally. And last but not least, we perform verification after the vulnerabilities have been fixed.
4. During the testing phase we are keeping ongoing contact with the client. The client’s team stays informed about identified key issues. If it’s necessary, we organize workshops for the development team to discuss the vulnerabilities in detail and we help make right decisions on how to fix them. Security testing may be performed remotely, but also on-site, together with the client’s team.
We are providing security testing for variety of applications, taking into account technology and IT environment specifics:
– web applications,
– mobile applications,
– blockchain and smart contracts systems.