Web Application Security Testing
We have a wide knowledge in the functional and technical aspects of security testing. We follow the industry standard testing methodology which includes running comprehensive tests to discover security vulnerabilities, grade them on a risk scale and offer security recommendations where necessary.
Our security teams scrutinize the web application manually and also run a series of automated scans with the best security tools available in the market to ensure that all security holes are revealed. Though we run tens of thousands of specially crafted requests automatically and different vulnerability scans that run for days, we mostly favor a manual approach for web application penetration testing. We believe that relying solely on automated tools wouldn’t help to uncover all issues that an experienced Security Engineer would. Our security testing process consists of
- Security Requirements Gathering
- Security Analysis and Design
- Secure Development
- Security Quality Assurance
- Secure Deployment
- Post Deployment Security checks
As part of our web application security testing, we verify the client web application to identify all the vulnerabilities by using manual as well as a series of automated scans/tests.
We follow the international guidelines set by OWASP ( Open Source Web Application Security Project ) to security test the web applications. A detailed checklist on what we look out for in each web application can be found at the OWASP testing checklist (Link to https://www.owasp.org/index.php/Testing_Checklist.)
The deliverable for the security testing would be a Web Application Security Testing Report that would include the vulnerabilities found, associated risks and the security recommendations along with other details such as screenshots, tables and graphs.
Security is not a one-time process. Any new update on the code or network could always bring in new vulnerabilities making the application potentially unsafe. So, we highly recommend a periodic testing to look for the existence of any security holes.
| Technical Expertise | |
|---|---|
| Security Testing Tools | |
| Netcat | Nmap/Zenmap | Nikto | Nessus | |
| WebSlayer | Hydra | |
| WebScarab | Burp Suit | W3af | BlindElephant | Metasploit | |
| Shell scripts | Curl | Wget | Custom scripts |
| Penetration Testing | |
| Information Gathering | Configuration Management | |
| Authentication | Session Management | Authorization | Ajax | |
| Business logic | Data Validation | DoS | Web Services | |
| Mozilla Add-ons | Xss Me | SQL InjectMe | Tamper Data | REST Client | POSTER |
| Certified Testing Professionals | CEH | ISTQB | CSTE | CSQA | CMST | AIX Unix | SQL |
Currently we DO NOT offer the following services:
- Security code reviews
- Mobile application security testing
- PCI compliance
- Network Security
- Security Audits