A penetration test of your website identifies application-level vulnerabilities that may be exploited by an Internet-based attacker.
Like most businesses and organisations, your website is perhaps one of your most valuable assets. Being able to provide your customers and users with a safe and secure online experience is more important than ever before to ensure that the reputation of your business is maintained, and you continue to instil confidence in your customers.
However, our reliance on web technologies has caused us to become exposed to security risks, resulting in cyber-attacks against websites and web apps continue to be one of the most common causes of data breaches against organisations. While many of these attacks are automated, and in many cases are not aimed at a specific target, there has been a significant increase in sustained and targeted attacks against websites by cyber-criminals, hacktivist groups and organised criminal gangs. The motives behind most targeted website attacks range from website defacement, malware injection, Denial of Service (DoS) or attempting to gain access to backend databases containing sensitive information.
Conducting a penetration test of your organisation’s web application allows you to identify any security flaws that are present in the underlying code, which may result in exploitable cyber security vulnerabilities being present.
SecureTeam has extensive experience in application-level penetration testing for a wide range of customers. From charities through to large-scale retail and banking platforms, our consultancy team are adept at identifying the latest web vulnerabilities and security weaknesses in your website or application, so you can apply effective security measures to reduce the likelihood of a security breach.
Methodology
Using a combination of automated and manual testing in an attempt to breach any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers), our consultants and penetration testers will conduct a thorough assessment of your web application to uncover vulnerabilities that may be exploitable by both unauthenticated and authenticated users.
The use of automated tools & scripts combined with an in-depth manual testing approach, allows us to efficiently & accurately test your application and maximise the level of web application security testing that can be performed in the time available.
All web application testing will be conducted in line with the current standards and methodologies produced by the Open Web Application Security Project (OWASP).
At a minimum, we will concentrate on the following OWASP Top-10 vulnerabilities that commonly affect web applications:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Insufficient Logging & Monitoring
In addition to the common vulnerabilities listed above, we also conduct testing around the following areas:
Prerequisites
In order for us to be able to perform a penetration test of your web application, we will require the following prior to the test commencing:
- A signed & completed Testing Consent Form
- URL(s) of the application(s) to be tested
- Two sets of credentials for each user role to be tested
- If a Web Application Firewall (WAF) resides in front of the application, we will need this to be disabled or SecureTeam’s IP address range to be ‘whitelisted’ for the duration of the testing. This ensures that the WAF does not interfere with the testing and allows us to provide you with an accurate set of results.
Deliverables
Engaging with SecureTeam for your Web Application Test will provide you with the following:
In-flight Support
Communication is a vital part of our approach and we will work closely with you, from initial scoping of requirements all the way through to our final reporting.
Prior to your test commencing, our consultant(s) will discuss the scope of work with you, so that a full understanding is obtained of what your web application is used for. This not only allows the test to run more efficiently, but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.
During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your application or any evidence in our results that may indicate a security breach may have already taken place.
Reporting
Once the web application test has been completed, you will be provided with the following:
Comprehensive Technical Report
Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities contain a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.
Technical References
Where applicable, we provide additional reference URLs for each vulnerability, so that further information on the vulnerabilities can be obtained from reputable sources of technical information.
Risk-Based Approach with CVSS Scoring
A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.
Secure & Encrypted Report Delivery
Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure file delivery mechanism. All test reports are encrypted using AES-256 encryption and are secured with a strong, randomly-generated password which is delivered ‘out-of-band’ to you via SMS. The encrypted file is then delivered to you through an encrypted & expiring URL link – allowing you to download the test report securely to your workstation.
After Care
We are committed to ensuring that as our customer, you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.
Conference Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
A conference call is suitable for both management and technical staff and provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders and technical staff who may be tasked with applying the recommended course of action.
Free 14-Day Retest
Notes
With the testing being conducted remotely, we include a free retest of all security issues identified in the report, providing they are mitigated within 14 days of the reporting being issued. This allows you time to take corrective action and ensures that your efforts have been successful in mitigating the vulnerabilities. Re-testing for remediation purposes is always free with no time limit. We don’t just find vulnerabilities, we help you close the loop on them.
Web App Penetration Testing FAQ
Some frequently asked questions about our Web Application Penetration Testing service have been answered as follows:
Who performs a web application penetration test?
Here at SecureTeam, our web application penetration testing is performed by a team of cyber security consultants that are individually accredited by CREST or TigerScheme. All of our penetration testing team perform security assessments using industry-recognised standards and robust test methodologies.
What sort of testing tools will you use?
Our pentesters make use of a range of specialist automated tools and in-depth manual testing to assess web app security. Automation brings in speed, excellent coverage and avoids human error to allow us to maximise the level of pen testing that we can achieve in the time allowed.
What happens at the end of a web application penetration test?
After the web app pen test is complete, the consultant(s) assigned to your pen test will produce a clear & concise report, detailing any vulnerabilities identified, associated risk levels and recommended remedial actions.
Is an Ethical Hacker the same as a Penetration Tester?
While the terms ethical hacking and penetration testing are often used interchangeably when it comes to web application security, they are actually slightly different. It is important that you have the right person for the right job when it comes to your cyber security. As a cyber security consultancy, we can help you understand the complexities of the industry and provide you with absolute confidence in your organisation’s cyber resilience.
Find out more
If you'd like to find out more about our services or would like us to provide you with a quotation, please fill out the following form and one of our team will get in touch with you.