Penetration Testing for Web Applications
Let us break your system before the bad guys do
Our bespoke and human-focused web application penetration testing is based on the needs of your business.
Vertical Structure's human-based approach ensures that, while automated tools are used to guide compromises, the focus is on using the power of our security and penetration testers to highlight areas for improvement.
All reports are written by humans, for humans with the goal of ensuring that your staff at all levels of the company can understand the requirements and make cyber security part of their day-to-day role.
What is penetration testing?
Penetration testing involves using authorised, simulated cyber attacks on a computer system to identify weaknesses or vulnerabilities. Our human-centric penetration testing uncovers real-life threats, then focuses on how to fix them.
New cyber security threats arise every day
Security risks are constantly changing, and you require a team of experts who are following every threat from the moment of genesis.
We test web apps and content management systems (CMS) as unauthenticated, anonymous and authenticated users to identify flaws and weaknesses in your applications.
Our team of expert penetration testers will ensure that your applications are free from threats. To do this, we make use of industry standards including OWASP's Top 10 Security Threats.
Penetration testing output
We supply a comprehensive security report for your web applications, including API testing and networks. The report clearly highlights potential issues and resolutions.
We pride ourselves on being able to write reports that make sense and provide useful recommendations. You will not be given page upon page of automated export from a tool.
What we need from you:
Here are the typical questions that we ask customers before we get started with web application penetration testing:
- What is the system that we will be testing? Is it a Web application running core systems for you and your customers or an informational site about you and your services?
- What’s the web address of the application you need penetration testing? Your URL is your most obvious, outward-facing access point into your system.
- Where is the system hosted? We ask this as we sometimes need to get approval from the people hosting it.
- Is the system hosted in the cloud? If so, it might be of benefit to have an additional level of testing to ensure the infrastructure has been configured correctly. For reference, please consult AWS’ Shared Responsibility Model.
- Any special issues which you think might impact our testing?
- Do you have any active response firewalls or anything else which might block our attempts to compromise the system?
- What sort of data are you storing in the system?
- Will the information you're storing contain sensitive personal data about young people or health data?
- Do you have different levels of users? Such as admin, standard or different customer company groups.
What cyber security risks might you face?
Below are the top ten most identified security risks in the latest OWASP Top Ten guide (2017), this is a useful starting point for investigations but we also go beyond this and investigate items which automated testing will frequently miss. We will apply a human eye to the human problem of cyber security.
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
No matter the risks, we will guide you through the available recommendations. Further explanation of each of these risks is available on the OWASP Top Ten Project page.
Application Security Verification Standard 4.0
The Vertical Structure team can assist you to achieve all levels (1 through 3) of OWASP's Application Security Verification Standard 4.0.
This comprehensive security audit will ensure you can develop and maintain secure applications.
We can help you achieve the level that's appropriate for your business need.
ASVS Level 1 - for low assurance levels, applications that are completely penetration testable
ASVS Level 2 - for applications that contain sensitive data, which requires protection and is therecommended level for most apps
ASVS Level 3 - for the most critical applications perform high value transactions, containsensitive medical data, or any application that requires the highest level of trust
Or send us a quick message