Open Mobile Menu

Penetration Testing

Web Application Penetration Testing

Web applications are often the weakest link in a company's information security environment.  Penetration testing is the process of evaluating the security of your web applications by simulating an attack by a skilled and motivated attacker. Performing regular penetration tests enables your company to comply with industry best practices and standards such as the PCI DSS, and to identify and remediate high-risk security vulnerabilities before they are exploited by malicious attackers.

The AppSec Consulting Difference

  • You're guaranteed to receive a high-quality, thorough test based on our proven, proprietary testing methodology, which involves a combination of manual testing as well as the use of leading commercial and open source testing tools.
  • Our reporting differentiates us from the competition - you'll receive an actionable custom-written report containing expert advice tailored to your business, not just automated scan results.
  • We're with you every step of the way throughout the remediation phase beginning with a thorough debriefing to explain all findings.
  • Our security professionals receive better training and have significant web development experience, which means that they understand how applications are designed and coded. They use this knowledge to effectively identify security weaknesses and provide practical remediation advice.

Our Approach

  1. Preparation - AppSec Consulting arranges a conference call to walk through your application, obtain any necessary testing information such as starting URLs and credentials, provide an overview of our testing process, and discuss any special testing requirements.
  2. Exploration – AppSec Consulting manually explores the application in order to become familiar with the application’s functionality, purpose, architecture, and the sensitivity of information handled by the application.
  3. Automated Vulnerability Scanning – High-quality commercial vulnerability scanning tools are used to thoroughly scan the application. This scanning process includes both application and infrastructure scanning, and includes authenticated scanning. We analyze the results and remove any false positives to ensure that our report will only contain actionable issues.
  4. Manual Penetration Testing – The application is manually tested by experienced web application security professionals using AppSec Consulting’s systematic testing process. This testing process covers all major aspects of web application security, including:
    • Authentication
    • Authorization
    • Session Management
    • Input/Output Validation
    • Configuration
    • Sensitive Data Handling
    • Privilege Escalation
    • Error Handling
    • Logical Vulnerability Checks
    • Business Logic
  5. Exploitation – With the client’s permission, significant issues identified during the testing process are exploited in order to both demonstrate the vulnerabilities and better determine the level of risk posed by the issues.
  6. Report Preparation – AppSec Consulting takes the results of both the automated and manual penetration testing and compiles a consolidated report, detailing all vulnerabilities uncovered during the testing process along with severity levels and recommendations for how to remediate each vulnerability that was identified.
  7. Debriefing – AppSec Consulting presents all findings to executives and key stakeholders, explains the findings, and provides remediation advice where necessary.

What You Get

  1. An actionable, custom-written Penetration Testing Report, which describes the application's security posture and lists all vulnerabilities identified. For each vulnerability, we provide a custom risk rating and remediation advice that is tailored to your specific business and technical situation.
  2. Expert consultation throughout the remediation phase.
  3. Two rounds of remediation testing within 6 months of the initial penetration test to ensure that all issues are effectively remediated.