Application Security Testing

Redspin offers in-depth application security testing for web applications, mobile applications, and internally-developed custom applications.

Our comprehensive application test methodology and all-inclusive fixed pricing provides greater ROI on your application security investment than any of our competitors. Security "solution" companies eventually run up large professional services fees. Purely automated web app scanners cannot compete with our manual analysis for reducing the risk of data breach within your application environment. No application security testing company gives you more "peace of mind" about the confidential data your applications undoubtedly use, transmit, and store.

Redspin’s application security testing services utilize industry-standard software tools to profile the application by identifying accessible services, ports, and systems. Our expert engineers then manually analyze the application for business logic flaws and simulate real-world attacks to identify inherent vulnerabilities and potential threats.

Application Security Testing Service Levels

Redspin offers 3 levels of fixed-price, application security assessments to help address the unique needs, requirements and budgets of our broad application security client base.

Basic: Fixed price. A basic application security test answers the question: "How secure is my application?" Redspin believes the minimum level of application testing necessary to answer that question is an application scan followed by 3 days of manual testing and reporting. Don't let others convince you that a scan alone is good enough. Do you want "good enough" security?

Advanced: Variable fixed price. The scope of work and pricing varies on the size and complexity of the application. We’ll schedule a demonstration or "walk-thru" of the application with a Redspin security engineer before a proposal and price quote are sent. Advanced application security testing is more comprehensive and in-depth than the basic option and is meant for mission critical applications and/or those that process and store confidential or proprietary information.

Enterprise Application Security Testing: Annual Pricing. This is the gold standard of application security testing. Redspin's Enterprise application security tests include two advanced-scope tests scheduled approximately six months apart. Each month, a new validation is provided to the client, indicating which findings have been remediated and which have not.

Application Security Testing Service Comparison:

Basic Advanced Enterprise
Can an attacker break into my application? Included in Application Security Test Included in Application Security Test Included in Application Security Test
Are there known security misconfigurations in my application? Included in Application Security Test Included in Application Security Test Included in Application Security Test
Does the application handle basic security well? (This includes session management, authentication, and administration)... Included in Application Security Test Included in Application Security Test Included in Application Security Test
Should I be worried about a prior or imminent attack? Included in Application Security Test Included in Application Security Test Included in Application Security Test
What would a state-sponsored or high-trained attacker be able to achieve if they focused on my application?   Included in Application Security Test Included in Application Security Test
What overarching flaws appear to be present in my software development lifecycle?   Included in Application Security Test Included in Application Security Test
What business logic flaws may be present in my application?   Included in Application Security Test Included in Application Security Test
How does my application security change over time?     Included in Application Security Test
How quickly can my developers respond to vulnerabilities?     Included in Application Security Test
How can my organization get the most "bang" for its buck in application security testing?     Included in Application Security Test

Methodology: Application Security Testing

Redspin's web application security testing methodology follows the OWASP Top Ten classes of vulnerabilities including data validation (SQL injection, cross-site scripting, buffer overflows, etc.), session management, access controls (authentication and authorization controls), use of cryptography, and use of third-party components (patching, configuration errors, etc.).

Redspin's mobile application security testing methodology follows v1.0 of the OWASP Top 10 Mobile Risks and includes: insecure data storage, weak server side controls, client side injection, poor authentication and authentication, improper session handling, security decisions via untrusted ports, side channel data leakage, broken cryptography, and sensitive information disclosure.

Redspin's application security testing provide you with the assurance that your critical application can withstand common Internet and internal threats. We tailor our efforts to identify the most critical vulnerabilities within a short time period with minimal impact to production systems. If we find serious vulnerabilities where immediate remediation is necessary, we will notify you on the spot so that you can take the appropriate action.

Learn More

"Experience has shown that detecting vulnerabilities in web applications requires a combination of automated and manual testing."
- U.S. Office of Inspector General