Web Application Penetration Testing


Web applications are difficult to secure, making them a prime target for malicious hackers. They require regular, specialized testing to ensure their security. Web application penetration testing is specifically designed to uncover software vulnerabilities in modern web applications and provide recommendations to help improve their security.


Penetration testing tools are most commonly used to test the following types of applications:


  • Custom or “In-House” Web Applications

  • Custom Web Services/APIs (SOAP, REST, etc.)

  • Custom Integrations of Commercial Off-The-Shelf (COTS) Software

  • Application Layer Penetration Test Methodology Overview


With an application-layer web penetration test, Tanner’s Information Security team will help identify both common and application-specific vulnerabilities that exist in custom-developed software.

Tanner's Process


Tanner bases our testing process on the OWASP testing guidelines, with an added Tanner touch. Our custom web application testing methodology is heavily focused on manual testing and verification techniques. Many application-layer vulnerabilities are the result of logical and systematic flaws in the code that are often overlooked during automated testing procedures. If exploited, these types of vulnerabilities can be the most damaging. This is why most web applications require manual testing.

Comprehensive Application and System Reviews

Tanner’s testing protocol begins with a network/operating system review. This helps verify that underlying systems are configured securely. After performing initial systemwide tests, our penetration testing team zeroes in on the application layer (layer 7). Application layer testing accounts for the majority of the time allocated to application penetration engagements.


Our team first assumes the role of an anonymous attacker who does not have valid credentials to access the application. This is done to determine if the application is accessible to rogue users. 

Additionally, our team authenticates into the application and determines if valid users can:


  • Exploit vulnerabilities

  • Gain access to the underlying infrastructure

  • Access unauthorized information

  • Escalate vertical privilege

Role-based Applications and Systems Testing


For role-based applications and systems, testing is conducted across all permission levels and authorization policies. This ensures coverage across the entire application and includes in-depth testing of complicated authorization controls that would normally be missed when only testing the application unauthenticated.


Penetration Test Deliverable


The actionable report contains the following information:

  • Executive Summary

  • Testing Methodology

  • Instructions on Recreating Test Results

  • Detailed Explanation Findings and Associated Risks

  • Recommendations for how to address each finding

The report highlights the gaps identified in tests, along with Tanner’s prioritized recommendations for remediating the identified risks. The end result is an improvement in the overall security of the application. Our findings take into consideration the size of the company and the sensitivity of its data when determining the importance and urgency of each recommendation.

Engage the security experts

Learn how Tanner’s security services can help you accomplish your specific business goals.

Let's Talk

or call 801-532-7444 today

Tanner LLC 
36 S. State St., Suite 600
Salt Lake City, UT 84111

United States
Phone: (801) 532 7444
Maps & Directions 


2020 Tanner LLC
All Rights Reserved.

Let's Talk

  • Facebook Social Icon
  • LinkedIn Social Icon
  • Instagram
  • Twitter Social Icon
  • glassdoor
Tanner LLC