Looking for web application testing services?
As the number of internet web pages exceeds 50 billion, it is evident that more and more data is being taken online. With the advent of BIG data, organisations are able to capture information across a vast array of resources. From capturing analytics on users spending patterns through to tracking users ‘likes’, BIG data is transforming our ability to work, play and communicate.
The uniform approach for presenting this data is through a web browsers or web enabled app. Vulnerabilities such as Heartbleed have required IT professionals to take a deeper look at the way data is secured. As applications become more complex and deliver more functionality to users, so the opportunity for vulnerability become all the more prevalent and the need for web application testing becomes essential to protect the software IP, the users information and the reputation of the product owner.
Nettitude’s web application assessments are designed to review all types of web server, ranging from straight forward wordpress sites through to online banking environments or even control systems for critical national infrastructure. Nettitude focuses on looking at the application logic that has been built in to the website and pays particular attention to any aspect of the environment that allows a user to enter input. As well as having some of the most sort after technical capability within the space, our consultants all poses strong communication skills and can help quantify the risks associated with your web application infrastructure.
Our Web Application Testing Methodology
Nettitude’s web application testing methodology is consistent with the testing methodology for infrastructure based IT penetration tests. In addition, there are further elements conducted as part of the mapping, service identification, vulnerability assessment and exploitation phases.
Nettitude uses a blended approach of Open Source (OS), custom scripts and commercial tools to conduct web application testing. All of our testing is inline with OWASP v4 (2014) recommendations and covers the OWASP Top 10 as a minimum.
Web Service & API Testing
The OWASP top 10 is a list of the most common types of security issues that impact web applications. It is referenced by many security standards including PCI DSS, Defence Industry Security Association (DISA), MITRE, Federal Trade Commission (FTC) and more.
All of Nettitude’s web application and penetration testing engagements cover the OWASP top 10 and are consistent with their v4 (2014) testing guide. In addition, Nettitude goes deeper to assess the fundamental application logic, whilst also assessing the access controls that deliver security roles and user partitioning.
Nettitude also pulls in information from external sources such as Facebook, LinkedIn and Twitter, to provide social engineering and authentication based attacks vectors. Combining these approaches together provides customers with a much more holistic approach to web application security testing.
Nettitude carries out Web Application Testing to assess the following elements of the OWASP Top 10:
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration (CSRF)
A7: Missing Function Level Access Control
A8: Cross-Site Request Forgery (CSRF)
A9: Using Components with Known Vulnerabilities
A10: Unvalidated Redirects and Forwards
The OWASP top 10 is a strong starting point for web application testing, but organisations should really look to go beyond this. The underlying application logic needs to be tested. Websites need to be assessed with different classes of users, to ensure that appropriate partitioning and access controls exist. Content Management Systems (CMS) and administrative functions should be assessed and a series of broader controls should be reviewed and tested.