Application Security Testing Services

Redspin’s application security testing is designed to find vulnerabilities in web applications, mobile applications, and internally-developed custom applications.

Manual Analysis

Our extensive manual analysis leads to zero false positives and the ability to detect logic/business flaws in the application. Using ethical hacking techniques, we simulate real world attacks to demonstrate how vulnerabilities can be exploited to compromise your systems and confidential data.

Purely automated web application security scanners cannot compete with our manual analysis for reducing the risk of data breach within your application environment.

All-Inclusive Fixed Pricing

Many of our competitors quote hourly rates or add professional services fees when pricing an application security assessment. Compare that to Redspin’s pricing model which includes 3 levels of fixed-price assessments (see below) to help address the unique needs, requirements and budgets of our broad client base. We also offer quarterly application security assessments at a discounted rate price for those clients that want the optimum level of security through a regular cycle of assessments, remediation, and retesting.

Industry Standard Methodology/Risk-based Analysis

Redspin's web application security testing methodology follows the OWASP Top 10 classes of vulnerabilities including data validation (SQL injection, cross-site scripting, buffer overflows, etc.), session management, access controls (authentication and authorization controls), use of cryptography, and use of third-party components (patching, configuration errors, etc.).

Redspin's mobile application security testing methodology follows v1.0 of the OWASP Top 10 Mobile Risks and includes: insecure data storage, weak server side controls, client side injection, poor authentication and authentication, improper session handling, security decisions via untrusted ports, side channel data leakage, broken cryptography, and sensitive information disclosure.

We tailor our efforts to identify the most critical vulnerabilities within a short time period and with minimal impact to production systems. If we find serious vulnerabilities where immediate remediation is necessary, we will notify you on the spot so that you can take the appropriate action.

Security ROI

No application security testing company provides greater ROI. Consider Redspin’s security engineers an extension of your team, working together to protect your systems and the confidential data your applications use, transmit, and store. Those engineers are actively involved in the application security community and are constantly evolving our methodology to meet new threats. With world-class experts, manual testing, and a proven methodology, you not only get a comprehensive assessment with actionable recommendations, you get "security peace of mind."

Application Security Testing Service Levels

Basic: Fixed price. A basic application security test answers the question: "How secure is my application?" Redspin believes the minimum level of application testing necessary to answer that question is an application scan followed by 3 days of manual testing and reporting. Don't let others convince you that a scan alone is good enough. Do you want "good enough" security?
Advanced: Variable fixed price. The scope of work and pricing varies on the size and complexity of the application. We’ll schedule a demonstration or "walk-thru" of the application with a Redspin security engineer before a proposal and price quote are sent. Advanced application security testing is more comprehensive and in-depth than the basic option and is meant for mission critical applications and/or those that process and store confidential or proprietary information.
Enterprise Application Security Testing: Annual Pricing. This is the gold standard of application security testing. Redspin's Enterprise application security tests include two advanced-scope tests scheduled approximately six months apart. Each month, a new validation is provided to the client, indicating which findings have been remediated and which have not.

Application Security Testing Service Comparison:

Basic Advanced Enterprise
Can an attacker break into my application? Included in Application Security Test Included in Application Security Test Included in Application Security Test
Are there known security misconfigurations in my application? Included in Application Security Test Included in Application Security Test Included in Application Security Test
Does the application handle basic security well? (This includes session management, authentication, and administration)... Included in Application Security Test Included in Application Security Test Included in Application Security Test
Should I be worried about a prior or imminent attack? Included in Application Security Test Included in Application Security Test Included in Application Security Test
What would a state-sponsored or high-trained attacker be able to achieve if they focused on my application?   Included in Application Security Test Included in Application Security Test
What overarching flaws appear to be present in my software development lifecycle?   Included in Application Security Test Included in Application Security Test
What business logic flaws may be present in my application?   Included in Application Security Test Included in Application Security Test
How does my application security change over time?     Included in Application Security Test
How quickly can my developers respond to vulnerabilities?     Included in Application Security Test
How can my organization get the most "bang" for its buck in application security testing?     Included in Application Security Test

Learn More


"Experience has shown that detecting vulnerabilities in web applications requires a combination of automated and manual testing."
- U.S. Office of Inspector General