Web Application Testing
Our Application Security Assessment (ASA) services provide a customized, extensive, impartial and periodic security analysis of internally developed or commercial enterprise applications. This service evaluates current “standards” and levels of compliance to give organizations a well-developed matrix of existing threats, application vulnerabilities and recommendations of real world solutions to address specific weaknesses.
Our consultants utilize a combination of automated and manual techniques to uncover vulnerabilities in clients’ systems and infrastructures. Both proprietary and commercial assessment tools are leveraged to best identify these vulnerabilities. To ensure the accuracy and quality of results, consultants perform false positive validation on each and every finding and all testing beyond URL scanning is performed manually.
We utilize a custom ASA methodology, developed through our extensive experience conducting ASAs and dynamic code reviews over the last fourteen years. Our ASA Methodology is based on the Open Web Application Security Project (OWASP) testing guide, NIST 800-115 and the Open Source Security Testing Methodology Manual (OSSTMM) Web Application Methodology. Our testing includes all testing requirements set out by the Payment Card Industry Data Security Standard (PCI DSS).
We perform ASA testing against both client and server applications including:
Thick Client Applications
Application Programming Interfaces (APIs)
We maintain a library of proprietary tests and custom-developed tools to check for vulnerabilities that automated means cannot identify. Additionally, we use Burp Suite Pro Web application vulnerability scanner.
We deliver our ASA services in three (3) service levels, based on client requirements and objectives:
Application Penetration Assessments – Includes application scanning followed by intensive manual testing to identify application vulnerabilities. Application penetration assessments are typically performed on high risk applications, new applications or after major changes to an application. Reporting is fully customized and includes both positive and negative findings.
Application Vulnerability Assessments – Includes application level scanning and manual testing to identify application level vulnerabilities. Application vulnerability assessments are typically performed annually on stable applications, after minor changes to an application or to test a specific application module. Reporting is customized and only includes negative findings.
Mobile Application Security Assessments – Includes full interrogation of a mobile application and its associated services (Web Services & APIs) along with the server hosting those services. Mobile application security assessments are performed on release candidate versions or on productions versions of mobile applications. This includes iOS mobile applications and those found on the Android platform.
We believe in a proactive approach to security and a continuous assessment process and works with our clients to be an integral part of their Secure Software Lifecycle Development (SSDLC) process. However, each ASA offering can also be delivered as a one-time standalone assessment.