THE WHY

A web application penetration test, should be part of any organization’s software security testing strategy. While automated testing technology can find many flaws and vulnerabilities in web applications, it takes a web application penetration test to find certain business logic flaws and problems with authorization issues that can lead to security breaches when left unfixed. Best practices for web application security suggest conducting a web application penetration test at least once per year for each application. This is increasingly important as more and more vulnerabilities are discovered every single day.

The challenge for application security teams is coming up with the resources for annual web penetration testing. A full web application penetration test can take weeks to complete and as the demand for skilled penetration testers increases, the cost to hire a qualified tester rises as well.

THE HOW

Nordic Resilience offers an alternative: web application penetration test services that combine manual processes and automated scans to reduce the cost and time required for penetration testing. Our penetration tests of web applications are divided into two phases.
Phase 1 is a full automated scan of the web application using multiple tools. This task sends millions of malformed and/or malicious requests, in order to provoke the web application to act in unintended ways that could lead to a vulnerability.
Phase 2 involves a manual review of the web application’s rich functionality. After the penetration tester has gathered sufficient information regarding the web application (e.g. back- and frontend technologies), a thorough manual test of the web application will be done, with creative attacks.

The methodology will follow that of OWASP’s Web Application Penetration Testing:

Configuration and Deployment Management Testing
Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Error Handling
Cryptography
Business Logic Testing
Client Side Testing
THE DELIVERABLE AND DURATION

The deliverable consists of collecting all observed vulnerabilities into a single commercial-grade report that will contain a non-technical section for the C-suite members of the organization, as well as a technical section that will provide in-dept details regarding the vulnerabilities that were observed. Lastly, all vulnerabilities will be manually scored with a risk-assessment (CVSS or Low/Medium/High/Critical), in order to assist the organization with the priority of remediating each one.

A penetration test of a web application usually takes 5 days but this varies from application to application due to differences in complexity.