Web Application Security Testing
Secure Applications Web Application Testing service is an internet security audit, performed by experienced security professionals. A key feature of the service, and one which cannot be covered by relying solely on automated testing, is application testing.
The service is designed to rigorously push the defences of internet networks and applications. It is suitable for commissioning, third party assurance, post-attack analysis, audit and regulatory purposes where independence and quality of service are important requirements.
A final written report provides an analysis of any security or service problems discovered together with proposed solutions, links to detailed advisories and recommendations for improving the security of the service under test.
The Web Application Testing service can be used to ensure compliance with PCI DSS v2.0 requirement 11.3, (penetration testing) as it includes both network and application layer testing. Secure Application is a PCI Approved Scanning Vendor (ASV).
Areas Covered by Web Application Testing
- Configuration errors
- Advice on data that could have been exposed due to past errors
- Application loopholes in server code or scripts
- Advice on fixes and future security plans
- Testing for known vulnerabilities
- Reducing the risk and enticement to attack
Customers who have had tests performed by Secure Application include: Aegon, Capita, Lloyds of London, Virgin Money and Group 4 Securicor.
Typical Issues Discovered in an Application Test
- Cross-site scripting
- CGI-BIN manipulation
- Server misconfigurations
- Form/hidden field manipulation
- Command injection
- SQL injection
- Well-known platform vulnerabilities
- Insecure use of cryptography
- Back doors and debug options
- Cookie poisoning
- Errors triggering sensitive information leak
- Broken ACLs/Weak passwords
- Weak session management
- Forceful browsing
- Risk reduction to zero day exploits
- Buffer overflows
Cost & Duration
The duration of a test depends on the size and complexity of a site, but can start from 6 days (approx four days testing, two writing up).