Web Application Penetration Test & Security Audits

The standard signed offer for this service includes:

100% Quality Guarantee
Free Fix Verification Bonus
A brief and to-the-point report with sufficient technical details to solve the issues found, along with an executive introduction and conclusion. Examples are available via our public work so that you know what to expect.
Optionally, we can add security issues into your bug tracking system.

The Threat

Web applications typically add internet network connectivity to your business processes. This enables you to reach out to customers worldwide. However, with this extraordinary power comes responsibility. The functionality exposed by the web application can also be used inappropriately by online criminals or malicious users, who may find and exploit issues leading to sensitive data leakage or fraud, among other possibilities.

The Solution

A web application penetration test facilitates the identification of security flaws before real attackers can take advantage of them. Furthermore, the mitigation guidance provided will substantially reduce the likelihood of certain attack vectors in the future. Any penetration tester can confirm this for you: It is extremely difficult to find any serious security issue in a web application that has been tested professionally multiple times (when the developers have also implemented the suggested fixes each time).

Customers often combine this test with:

Mobile/Desktop app penetration test: When there are apps communicating with the web application, these often use APIs that talk back to the application backend, in these cases it is important to include the associated app(s) in the test so the testers get a full picture of the threat model. For example, a mobile API issue might be irrelevant for the security of the mobile app but could introduce a serious issue in the web app. Similarly, invalid input could be harmless on the web app but result in a serious issue on the mobile or desktop app.
Code Audit: A code audit in combination with a web app pentest provides you with the most value for money as testers have complete visibility. Many subtle issues can only be found in an efficient way via Code Review. We are familiar with the vast majority of popular web app development languages (i.e. PHP, Java, JavaScript, Python, Ruby, C#, etc.) and their associated frameworks.
Server Hardening Audit: You could provide us with SSH/Remote Desktop access to a staging server so that we can review the current hardening situation and suggest improvements. This limits the potential impact of a breach as much as possible.

The Methodology

We do not lock ourselves into any particular list and will review your security from the perspective of a real attacker, using manual testing techniques and also automation where needed, but in a controlled fashion and always with your permission. That said, our web application penetration tests typically cover the OWASP Top 10 and the relevant tests from the OWASP Testing Guide applicable to the target application. Some examples of this are public. We focus on high impact application areas to ensure that critical issues are identified and subsequently eliminated. However, we will always tailor the test to meet your specific needs, for example, maybe your threat model is different and you are worried about a different type of attacker or what your application is trying to protect is simply something not standard, we can help you with that.

How To Order

Simply contact us, let us know what you need to test. We will revert with some questions to understand the scope, schedule the test and tailor the test to meet your needs, for free. If you want to proceed, we will send you an offer for signing and coordinate the steps together from there.