Our penetration testing team will combine manual penetration testing techniques with automated tools which will ensure the best coverage and detection rate of potential vulnerabilities.

The testing process consists in test scenarios focused on the following areas:

Injection flaws
Broken Authentication
Insecure Deserialization
Sensitive Data Exposure
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Missing Function Level Access Control
XML External Entities (XXE)
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring

During every Web Application assessment we perform the following steps in order to deliver quality services to our customers:

Building a Threat Model. An threat model will be created to explore assets, threats, attack vectors and conditions required for successful attack. To perform this, our experts will investigate the architecture of the applications, the involved technology as well as the key security requirements and threats. This step might involve techical meetings and discutions with key personnel from the customer’s staff.

Building an evaluation plan. The next step involves reviewing threat model results performed by our certified penetration testers and generate test scenarios to cover possible threats. The test scenarios custom to your web application’s specifics will be combined together with OWASP’s testing methodology to generate a test plan that will guide the attack and test execution process, ensuring every avenue of attack is thoroughly covered.

Executing the evaluation. In the third step the actual attacks scenarios are performed, as they are described in the test plan resulting in one or more vulnerabilities that will be identified. All the identified vulnerabilities will be carefully documented, preserving evidence and describing necessary steps to reproduce them.

Creating the report and present it to the Customer. This is the final step of the assessment and one of the most important in the process. We believe that quality reporting of the identified vulnerabilities along with practical remediation recommendations ensures the project’s success. Also, the impact and severity scores associated with each vulnerability will be thoroughly explained from both management and technical perspectives.

SafeByte’s Web penetration testing services comply with Open Web Appliction Security Project (OWASP) testing methodology and Application Security Verification Standard (ASVS) completed with custom tests specific to your own web application’s workflows and business logic. We provide Black-Box, Grey-Box or White-Box testing approaches to meet your specific needs.

Our web penetration testing methodology is based on the following industry standards:

• Open Web Application Security Project (OWASP) Testing Guide
• Technical Guide to Information Security Testing and Assessment (NIST 800-115)
• The Penetration Testing Execution Standard (PTES)
• Payment Card Industry (PCI) Penetration Testing Guidance