Redspin has demonstrated their technical capability in the web application assessment area several times for us, but we find the real value is the ability of their team to cast the technical findings in the context of our business."

Redspin Customer

Overview Penetration Testing (Infrastructure) Policies and Controls Testing Application Penetration Testing

Web

Custom

Social Engineering Enterprise Solution

Request more information

Call us at 1-800-721-9177

Chat (we're super friendly) Email us Read our blog

Web Application Penetration Testing

Redspin's Web Application Security Assessment reviews and evaluates the level of risk associated with an application in terms of its web vulnerabilities and the potential disclosure of sensitive information. The primary goals of this assessment are to:

Provide management with an understanding of the level of risk introduced by the web application.

Provide recommendations and details to facilitate a cost-effective and targeted mitigation approach.

Create a basis for future decisions regarding information security strategy and resource allocation.

Why perform a Web Application Security Assessment?

To execute a real-world attack on a critical application and understand the level of risk that exists at a single moment in time.
To complement your automated scanning appliance to better identify and validate all security vulnerabilities associated with your Internet-facing environment.
To understand how well your development team followed the secure software development life cycle.

Scope

This assessment methodology includes coverage of the classes of vulnerabilities identified in the 2010 Top 10 Open Web Application Security Project (OWASP):

Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object Reference
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards

Because vulnerabilities can mask or even enable other vulnerabilities, we comprehensively test the entire application, often requiring credentials to various roles within the application.

Redspin's application assessments also address specific regulatory requirements, such as FFIEC/GLBA, HIPAA/HITECH, and PCI DSS requirements 6.6 and 11.3.2.

Methodology

The testing process for application analysis includes a structured process of steps, each of which are meant to provide the tester with additional knowledge of the application structure and to conclusively identify and validate the existence of a specific vulnerability, thereby eliminating false positives. The process begins with host and service enumeration, followed by content enumeration and discovery, and web crawl of application and associated servers. Testing of user-accepted input sources is then performed, concluding with the testing of login forms and credentials, and the examination of session cookies used by the application.