Both our web application and mobile application penetration testing services utilize industry-standard software tools to profile the application by identifying accessible services, ports, and systems. Our expert engineers then manually analyze the application for business logic flaws and simulate real-world attacks to identify inherent vulnerabilities and potential threats.
Redspin's web application security assessment methodology follows the OWASP Top Ten classes of vulnerabilities including data validation (SQL injection, cross-site scripting, buffer overflows, etc.), session management, access controls (authentication and authorization controls), use of cryptography, and use of third-party components (patching, configuration errors, etc).
Redspin's mobile application security assessment methodology follows v1.0 of the OWASP Top 10 Mobile Risks and includes: insecure data storage, weak server side controls, client side injection, poor authentication and authentication, improper session handling, security decisions via untrusted ports, side channel data leakage, broken cryptography, and sensitive information disclosure.
Basic – Fixed price. Designed for organizations that want an initial assessment of whether or not their applications are secure. The basic assessment includes an application scan and 3 days of manual testing and reporting.
Advanced — The scope of work and pricing varies based on the size and complexity of the application. Before a proposal and quote is sent, we schedule a demonstration or "walk-thru" of the application with a Redspin security engineer. The testing is more comprehensive and in-depth than a basic assessment and is meant for applications that process and store confidential or proprietary information and applications that are mission or business critical.
Enterprise Application Security Assessment: Annual Pricing. This is the gold standard of application security assessments. Redspin's Enterprise Application Assessments include two Advanced-scope tests scheduled approximately six months apart. Each month, a new validation is provided to the client, indicating which findings have been remediated and which have not.
Our security engineers understand that every application is unique with specialized requirements. Business necessities such as time-to-market, multi-location development (including offshore) and limited resources often greatly impact the extent to which security testing is "built-in" to the software development process. In other environments, engineering teams apply security best practices according to rigorous adherence to the software development lifecycle (SDLC) methodology.
Redspin's application security assessments provide you with the assurance that your critical application can withstand common Internet and internal threats. We tailor our efforts to identify the most critical vulnerabilities within a short time period with minimal impact to production systems. If we find serious vulnerabilities where immediate remediation is necessary, we will notify you on the spot so that you can take the appropriate action.