Web Application Security TestingLet RandomStorm’s Web Application Security experts safely test the security of your Web Application against the latest threats
Web Application Security Testing
RandomStorm have a professional Web Application Security Testing service that can be used to identify vulnerabilities that exist on your web applications. This application testing can be performed remotely for external facing web applications or internally at your premises if the application is an internal application.
RandomStorm have a wealth of knowledge in the area Web Application Security Testing and their testers have created and contributed to many open source web application security projects such as the Damn Vulnerable Web App and the WPScan WordPress Security Scanner.
Web App Security Testing – Methodology
The security testing methodology used are based around the The Open Web Application Security Project (OWASP) testing methodologies.
The assessment is divided into five phases.
These five steps are:
- Initial Scoping
- Passive Information Gathering
- Vulnerability Testing
Once the initial order has been received, the next stage is to carry out the initial scoping. At this stage the application access information is provided by the customer along with any authentication credentials that are required to perform the security assessment.
Passive Information Gathering
In the passive mode, the consultant will manually interrogate the web application to understand the application's logic. Various testing tools are used for information gathering such as an HTTP proxy to observe all the HTTP requests and responses. The objective of the passive phase is to understand all the access points (gates) of the application (e.g., HTTP headers, parameters, and cookies). Information Gathering is a vital part of any web application security assessment.
In this phase, the consultant will test the web application for the following 9 sub-categories. In total there are over 60 individual tests carried out throughout the web application.
- Configuration Management Testing
- Business Logic Testing
- Authentication Testing
- Authorisation testing
- Session Management Testing
- Data Validation Testing
- Denial of Service Testing
- Web Services Testing
- Ajax Testing
Once all of the assessment data has been collected, the next phase is to analyse the collected data and for the consultant who performed the test to create the customer report.
The report contains an Executive Summary that outlines the main areas of concern along with remediation actions in a concise format before proceeding to the full narrative of all aspects of the application security assessment.
The created report goes into great detail for all identified areas of concern and it is the main deliverable to the customer from the project. Clear and concise explanations are provided and remediation advice is provided to help the customer fix any problems associated with their tested applications.
Once the full assessment report is created and peer reviewed, it is uploaded to the secure document area of the RandomStorm Secure Customer Portal and the customer is informed that the report is ready for their review. If a post-assessment meeting or conference call has been scheduled this will take place with both the account manager and lead consultant present in the meeting or on the call.
It may be necessary for the customer to request a follow up assessment after a given time period in order for the effectiveness of the remediation to be assessed.