Web Applications Security Testing
Web applications are without doubt one of the most important elements of the Internet as we know it. Thanks to web applications, companies around the world can create their image on the Internet, perform financial transactions, open internet shops, sell contents and use web application for various, almost unlimited business purposes.

Web applications are also among the most popular intrusion targets. According to statistics of the most renown analytics companies, every year we observe more attacks, including the successful ones. Thereby, each year more companies suffer consequences of data theft, loss of customer confidence or damaged reputation.

Service

Web application security testing is a highly specialized service recommend to all companies for which web applications are a vital element of operation or which can suffer in case of a successful attack on availability, integrity, or confidentiality of the data processed by web applications.

Security tests conducted by our company focus on discovery the following security gaps and vulnerabilities related to:
  • Applied architecture of web application
  • Applied software design patterns
  • Weaknesses of HTTP protocol and its impact on the application
  • Technologies used at the data presentation layer
  • Technologies used at the application layer
  • Web server and its configuration
  • Application server and its configuration
  • Improper use of PKI elements
  • Improper data validation
  • Implemented authentication and authorization mechanisms
  • Errors in the web application code
  • Many others
Depending on the agreed range of security test and business needs, we conduct security testing:
  • With no knowledge about testing application ("black-box testing")

    This is simulation of an attack by intruder, who does not posses any knowledge about tested application. This is a simulation of a typical attack from the Internet. In this type of test we try to gather as much information about application as possible before we start performing controlled attacks on the applications.
     
  • With partial knowledge about testing application ("gray-box testing")

    This type of test is a simulation of an attack by someone, who posses partial knowledge about tested web application – for example, the person knows what technologies, components or versions of software components are used, what is the catalogue structure or what software patterns have been applied.
     
  • With full knowledge about testing application ("white-box testing")

    This is a simulation of an attack by someone who posses full knowledge about tested web application. This can be a simulation of a former employee attack. We simulate intrusion by someone with full access to the documentation and source code of the application. In combination with the "black-box" testing, this test is also a practical verification that may reveal how knowledge of application source code may help potential intruders breach the web application security.
All security tests performed by our company are based on manual tests, and automate testing tools are used only in selected parts of the tests.

Results

The end result of Web Application security testing is a detailed report, consisting of:
  • Executive Summary
  • Scope of security tests along with performed actions
  • A list of discovered vulnerabilities
  • Evaluation of vulnerabilities severity, based on the scale agreed with the Customer
  • Proposals for improvements in order to eliminate discovered vulnerabilities
© 2010 Prevenity Sp z o.o. All rights reserved.    Company | Legal information | Contact Us | Site map