Web Application Penetration Testing
Web application penetration assessments are designed to highlight potential security vulnerabilities within an application based upon a defined threat-model. However, unlike source code reviews or architecture assessments, an application penetration assessment also evaluates integration between components (home-grown or third-party) and the overall deployment configuration. These characteristics of the penetration assessment make it a solid choice for establishing a baseline security assessment of an application that has already been developed and deployed. By performing fault-injection and validating application behavior, it is possible to identify unsafe coding practices in areas including, but not limited to: authentication, authorization, session management, cryptography, error handling, information leakage, data validation, output encoding and language-specific coding issues.
Application penetration assessments, however, are not intended to provide a comprehensive security evaluation, outlining every instance of a given vulnerability; rather, they concentrate on highlighting areas of increased risk exposure and identify vulnerabilities representative of specific components, and validate exploitation possibilities when feasible. Application penetration assessments serve as a cost-effective mechanism to identify a representative set of vulnerabilities in a given application, particularly those which attackers are most likely to exploit, and allow application developers to find similar instances of vulnerabilities throughout the code.
Penetration assessments are often time-boxed, providing clients a fixed-price review of specific application components. In certain situations it may also be advantageous to perform hybrid reviews, or white-box assessments to confirm observed behavior during the penetration test and review critical application security controls such as authentication, access control, session management and cryptography.
Each of VSR's assessments rate common application security controls against industry best practices, identifying both short-term tactical fixes and long-term strategic initiatives to improve the overall security posture of the system.
Our professionals work with you to develop a test plan. VSR provides several application and product security testing options:
- Black Box - VSR performs testing using publically available information. Threat modeling includes external attackers with no detailed application knowledge. Testing utilizes both automated tools and manual examination. The goal of this testing is to determine what security posture the application or product presents to an uninformed attacker.
- White Box - In addition to Black Box automated and manual testing of the application, testing includes reviews of configuration files and security settings. VSR works with your staff to identify and assess security issues and to develop robust threat models. Administrative interfaces and connections to related components can also be assessed. The goal of this testing is to thoroughly identify weak and vulnerable aspects of an application in a cost-effective way.
- Full Spectrum - In addition to White Box testing, VSR performs a coordinated code review and architecture assessment. This approach permits our security consultants to more efficiently identify security flaws and assess their impact on the components in the application or product architecture. Findings identified by testing and code review are correlated and cross-referenced, facilitating more extensive analysis and recommendations for remediation.