Application Penetration Testing

The primary objective for a web application penetration test is to identify exploitable vulnerabilities in applications before hackers are able to discover and exploit them.

Overview

The primary objective for a web application penetration test is to identify exploitable vulnerabilities in applications before hackers are able to discover and exploit them. Web application penetration testing will reveal real-world opportunities for hackers to be able to compromise applications in such a way that allows for unauthorized access to sensitive data or even take-over systems for malicious/non-business purposes.
This type of assessment is an attack simulation carried out by our highly trained security consultants in an effort to:
Identify application security flaws present in the environment
Understand the level of risk for your organization
Help address and fix identified application flaws

ASC application penetration testers have experience developing software —not just trying to break it. They leverage this experience to zero in on critical issues and provide actionable remediation guidance.

As a result of our penetration tests, you’ll be able to view your applications through the eyes of both a hacker and an experienced developer to discover where you can improve your security posture. Our consultants produce findings in written reports and provide your team with the guidance necessary to effectively remediate any issues we uncover.

Approach

ISEC web application penetration testing service utilizes a comprehensive, risk-based approach to manually identify critical application-centric vulnerabilities that exist on all in-scope applications.
1. Information Gathering
2. Threat Modeling
3. Vulnerability Analysis
4. Exploitation
5. Post-Exploitation
6. Reporting
Using this industry-standard approach, ISEC comprehensive method covers the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10 2013 including, but not limited to: Injection, Cross-Site Scripting, Cross-Site Request Forgery, Unvalidated Redirects & Forwards, Broken Authentication & Session Management, Security Misconfiguration, Insecure Direct Object Access and more.

Manual Testing vs Automated Testing

ASC’s approach consists of about 80% manual testing and about 20% automated testing – actual results may vary slightly. While automated testing enables efficiency, it is effective in providing efficiency only during the initial phases of a penetration test. At ASC, it is our belief that an effective and comprehensive penetration test can only be realized through rigorous manual testing techniques.

Tools

In order to perform a comprehensive real-world assessment, ASC utilizes commercial tools, internally developed tools and the same tools that hacker use on each and every assessment. Once again, our intent is to assess systems by simulating a real-world attack and we leverage the many tools at our disposal to effectively carry out that task.

Reporting

We consider the reporting phase to mark the beginning of our relationship. ASC strives to provide the best possible customer experience and service. As a result, our report makes up only a small part of our deliverable. We provide clients with an online remediation knowledge base, dedicated remediation staff and ticketing system to close the ever important gap in the remediation process following the reporting phase.
We exist to not only find vulnerabilities, but also to fix them.