WEB APPLICATION PENETRATION TESTING
Web Application Penetration Testing
Web applications are difficult to secure, making them a prime target for malicious hackers. They require regular, specialized testing to ensure their security. Web application penetration testing is specifically designed to uncover software vulnerabilities in modern web applications and provide recommendations to help improve their security.
Penetration testing tools are most commonly used to test the following types of applications:
Custom or “In-House” Web Applications
Custom Web Services/APIs (SOAP, REST, etc.)
Custom Integrations of Commercial Off-The-Shelf (COTS) Software
Application Layer Penetration Test Methodology Overview
With an application-layer web penetration test, Tanner’s Information Security team will help identify both common and application-specific vulnerabilities that exist in custom-developed software.
Tanner bases our testing process on the OWASP testing guidelines, with an added Tanner touch. Our custom web application testing methodology is heavily focused on manual testing and verification techniques. Many application-layer vulnerabilities are the result of logical and systematic flaws in the code that are often overlooked during automated testing procedures. If exploited, these types of vulnerabilities can be the most damaging. This is why most web applications require manual testing.
Comprehensive Application and System Reviews
Tanner’s testing protocol begins with a network/operating system review. This helps verify that underlying systems are configured securely. After performing initial systemwide tests, our penetration testing team zeroes in on the application layer (layer 7). Application layer testing accounts for the majority of the time allocated to application penetration engagements.
Our team first assumes the role of an anonymous attacker who does not have valid credentials to access the application. This is done to determine if the application is accessible to rogue users.
Additionally, our team authenticates into the application and determines if valid users can:
Gain access to the underlying infrastructure
Access unauthorized information
Escalate vertical privilege
Role-based Applications and Systems Testing
For role-based applications and systems, testing is conducted across all permission levels and authorization policies. This ensures coverage across the entire application and includes in-depth testing of complicated authorization controls that would normally be missed when only testing the application unauthenticated.
Penetration Test Deliverable
The actionable report contains the following information:
Instructions on Recreating Test Results
Detailed Explanation Findings and Associated Risks
Recommendations for how to address each finding
The report highlights the gaps identified in tests, along with Tanner’s prioritized recommendations for remediating the identified risks. The end result is an improvement in the overall security of the application. Our findings take into consideration the size of the company and the sensitivity of its data when determining the importance and urgency of each recommendation.