Web Application Testing
Web applications are like doors and windows to your IT systems. They are visible from the outside and connected to internal databases, other IT components, and business processes. That makes them an excellent target for a potential attacker so special attention must be paid to web application security.
According to the latest data* web applications are the attack vector in 90% of all attack incidents.
Web application attacks may result in serious consequences, such as:
– Unauthorized access to key resources.
– Modification of users’ data.
– Personally identifiable data breach.
– Serves take-over or blocked access to servers
It applies to both external facing applications as well as internal ones available only in a corporate network.
What is our approach to web application security testing?
The process of application security testing consists mainly of systematic attempts to abuse all application functions. We usually start with threat modeling to identify potential threats. We take into consideration key resources available in the applications and we try to define a potential attack target. A list of potential threats and priorities is discussed with the client – this is a starting point for the technical part of security testing. Sometimes threat modeling is not necessary, especially when a customer is able to precisely specify the required scope of security tests.
Such a systematic approach guarantees efficient allocation of time dedicated to security testing and comprehensive coverage of all application functionalities.
In a typical case, web application security tests are carried out in the following steps:
1. Access to application, user accounts and information about architecture (if grey-box approach is possible)
2. Threat modeling – security analysis to determine possible attack methods and most important consequences of a potential attack.
3. Defining priorities, exemptions, and dependencies.
4. Security testing and hacking attempts. A client is informed about any key vulnerabilities as soon as possible.
5. Test result aggregation and report preparation.
6. Consultancy on ways to eliminate identified vulnerabilities.
7. Verification of proper vulnerability removal.
The result of security tests is a detailed report. It consists of an executive summary, detailed description of all vulnerabilities, and proposed improvements. We can also verify compliance with OWASP ASVS (Application Security Verification Standard).
– Frameworks: Angular, ASP.Net, Django, Laravel, Node.js, Play, React.js, Spring, Struts, Symfony, Wicket…
– API: REST, SOAP, GraphQL…
– Databases: MySQL, Oracle, Microsoft SQL Server, MongoDB, PostgreSQL, SQLite…
– Authentication: 2FA, biometry, JSON Web Token, LDAP, OAuth…
– CMS: Drupal, Joomla, Shopify, WordPress…
– Architectures: client-server, microservices, serverless, SaaS (including multi-tenant), SPA..
– Protocols: HTTP, HTTPS, WebSocket, and other nonstandard ones.
“We believe that the key to effective security testing is a thorough understanding of application processes and technologies. That’s why we are constantly developing our skills and tracking recent attacks and defence methods.“
Contact us to get a quote of application security testing. Each application is different. You will receive a set of questions which will help us to estimate workload and needed skills on the basis of which we will prepare an offer. If needed, we will contact you to discuss your specific needs, application functionality and a broader context, to guarantee that the results of security testing will have the best possible value for you.
* – source: Verizon Data Breach Investigations Report 2019 https://enterprise.verizon.com/resources/reports/dbir/