A penetration test of your website identifies application-level vulnerabilities that may be exploited by an Internet-based attacker.
Like most businesses and organisations, your website is perhaps one of your most valuable assets. Providing your customers and users with a safe and secure online experience is now more important than ever before, so that the reputation of your business is maintained and you instill confidence in your customers.
Cyber-attacks against websites and web applications continue to be one of the most common causes of data breaches against organisations. While many of these attacks are automated, and in many cases are not aimed at a specific target, there has been a significant increase in sustained and targeted attacks against websites by cyber-criminals, hacktivist groups and organised criminal gangs. The motives behind most targeted website attacks range from website defacement, malware injection, Denial of Service (DoS) or attempting to gain access to backend databases containing sensitive information.
Conducting a penetration test of your organisations web application, allows you to identify flaws that are present in the underlying code, which may result in exploitable vulnerabilities being present.
SecureTeam has extensive experience in application-level penetration testing for a wide range of customers. From charities through to large-scale retail and banking platforms, our consultancy team are adept at identifying the latest web vulnerabilities in your website or application, so you can apply effective security measures to reduce the likelihood of a security breach.
Using a combination of automated and manual testing, our consultant(s) will conduct a thorough assessment of your web application, identifying vulnerabilities that may be exploitable by both unauthenticated and authenticated users.
The use of automated tools & scripts combined with an in-depth manual testing approach, allows us to efficiently & accurately test your application and maximise the level of testing that can be performed in the time available.
All application testing will be conducted in line with the current standards and methodologies produced by the Open Web Application Security Project (OWASP).
At a minimum, we will concentrate on the following OWASP Top-10 vulnerabilities that commonly affect web applications:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Insufficient Logging & Monitoring
In addition to the common vulnerabilities listed above, we also conduct testing around the following areas:
In order for us to be able to perform a penetration test of your web application, we will require the following prior to the test commencing:
- A signed & completed Testing Consent Form
- URL(s) of the application(s) to be tested
- Two sets of credentials for each user role to be tested
- If a Web Application Firewall (WAF) resides in front of the application, we will need this to be disabled or SecureTeam’s IP address range to be ‘whitelisted’ for the duration of the testing. This ensures that the WAF does not interfere with the testing and allows us to provide you with an accurate set of results.
Engaging with SecureTeam for your Web Application Test will provide you with the following:
Prior to your test commencing, our consultant(s) will discuss the scope of work with you, so that a full understanding is obtained of what your web application is used for. This not only allows the test to run more efficiently, but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.
During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your application or any evidence in our results that may indicate a security breach may have already taken place.
Once the web application test has been completed, you will be provided with the following:
Comprehensive Technical Report
Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities contain a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.
Where applicable, we provide additional reference URLs for each vulnerability, so that further information on the vulnerabilities can be obtained from reputable sources of technical information.
Risk-Based Approach with CVSS Scoring
A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.
Secure & Encrypted Report Delivery
Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure file delivery mechanism. All test reports are encrypted using AES-256 encryption and are secured with a strong, randomly-generated password which is delivered ‘out-of-band’ to you via SMS. The encrypted file is then delivered to you through an encrypted & expiring URL link – allowing you to download the test report securely to your workstation.
We are committed to ensuring, that as our customer, you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
A conference call is suitable for both management and technical staff and provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders and technical staff who may be tasked with applying the recommended course of action.
Free 14-Day Retest
Find out more
If you'd like to find out more about our services or would like us to provide you with a quotation, please fill out the following form and one of our team will get in touch with you.