Application Penetration Testing
CREST Accredited, Application Security Testing Specialists
At 4ARMED we focus solely on application and cloud-based security testing. It’s probably something to do with our closet developerness. If you’ve got any kind of web or mobile application - perhaps a SaaS platform? - that needs security testing, look no further.
What is an Application Penetration Test?
An exploitative test of your application’s security defences. Sometimes referred to as “ethical hacking”, the goal of penetration testing is to assess the resilience of your web application to technical attacks and provide tailored recommendations on areas that could be improved. By using the same techniques as criminal hackers our consultants look for ways to gain unauthorised access to data stored in your systems, applications or mobile devices.
We align our application security testing methodology to the OWASP Application Security Verification Standard. There’s two main reasons for this: 1) it’s good and 2) it gives additional, independent clarity over what will be delivered. This is especially useful if you’re having a penetration test done to satisfy a third-party.
Security Testing Levels
Level 1 - Opportunistic
Level 2 - Standard
Level 3 - Advanced
If what you need is something more targeted or bespoke, this is no problem. For example, you may have recently rolled out a new login function and would like assurance over just this element. All our engagements are built around your requirements so let us know what you need.
Security Testing helps you gain assurance over your risk. Everything should be coded and configured correctly and securely but testing provides assurance that no mistakes have been made.
Penetration Testing is required by a number of compliance standards such as PCI DSS. Our security testing services can help you achieve or maintain compliance.
Sensible rates, a pragmatic approach and recommendations that make a difference all add up to a cost effective overall solution. Take advantage of a Managed Security Testing contract and see even better return on your investment.
Each report contains a root cause analysis and, if you take a Managed Security Testing contract we can help you implement a continuous improvement cycle focused on your specific problem areas.
What To Expect
A typical engagement process flow can be seen here. The most important part when considering a penetration test is getting the scope right.
In some cases this is relatively simple as it may be you require a test of a single system or application whose boundaries are clearly defined. In other cases the scope will be more complex. A good example of this is when conducting a penetration test to meet PCI DSS requirement 11.3 which will need us to verify the scope for testing actually covers all in-scope systems.
For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed. A link to this can be found in the Resources section below.
Application Security Testing with Source Code
Earlier we highlighted the different testing levels we typically work to – Opportunistic, Standard and Advanced – but, when it comes to application security testing there is always the option to provide us with access to the source code during the test.
Often referred to as white box testing this enables our consultants to achieve far wider and deeper coverage of an application in the same amount of time. This is because suspected issues can be verified more quickly and searched for in other parts of the code. The majority of tests we conduct these days are performed in this manner.
Source code is stored in accordance with our ISO27001 information security requirements and is securely deleted once the engagement has completed.
- Confirmation of scope
- Escalation process agreed
- Test Authorisation
- Communication requirements agreed
- Vulnerability Identification
- Regular Testing Updates As Agreed
- Report Completed By Lead Tester
- Issues Rated By Impact & Exploitability
- Root Cause Analysis
- Internal QA Prior To Issue
- Optional Wash-up Call
- Post-Test Support For Recommendations
- Arrange Re-testing If Required
4ARMED’s knowledge of programming has also helped them identify issues in our code and suggest reasonable remediation steps, which have been gratefully received. The reports delivered at the end of a test are top notch, and have enough technical detail to identify issues and solutions quickly, while still being formatted and worded in such a way as to not confuse the reader.
Developer at SaaS Learning Platform
App, Mobile and Infrastructure Penetration Test
Online Financial Services Company
App, Mobile and Infrastructure Penetration Test
Agricultural Levy Organisation
Security Testing Scoping Form
3 Warren Yard, Warren Park, Stratford Road, MILTON KEYNES MK12 5NW, England