Application Penetration Testing

CREST Accredited, Application Security Testing Specialists

Overview

Introduction

At 4ARMED we focus solely on application and cloud-based security testing. It’s probably something to do with our closet developerness. If you’ve got any kind of web or mobile application - perhaps a SaaS platform? - that needs security testing, look no further.

What is an Application Penetration Test?

An exploitative test of your application’s security defences. Sometimes referred to as “ethical hacking”, the goal of penetration testing is to assess the resilience of your web application to technical attacks and provide tailored recommendations on areas that could be improved. By using the same techniques as criminal hackers our consultants look for ways to gain unauthorised access to data stored in your systems, applications or mobile devices.

We align our application security testing methodology to the OWASP Application Security Verification Standard. There’s two main reasons for this: 1) it’s good and 2) it gives additional, independent clarity over what will be delivered. This is especially useful if you’re having a penetration test done to satisfy a third-party.

Security Testing Levels

Level 1 - Opportunistic

The target is reviewed for easy to discover, easy to exploit weaknesses, such as those found in the OWASP Top Ten, that would be targeted by opportunistic attackers that lack the resources, skills, motivation or time to pursue more difficult vulnerabilities.

Level 2 - Standard

The target is reviewed to see if it will withstand most security risks associated with today’s software. This level of testing is typically required for most enterprise systems, compliance standards and other platforms that handle sensitive information such as personal or financial data.

Level 3 - Advanced

This level is typically reserved for those systems that require the highest level of assurance, where a compromise could result in critical impact. At this level the types of threat are expected to be determined and potentially well-funded. Security testing alone is not sufficient to provide verification and we would look to review the system’s architecture, code, management processes and other supporting factors in order to provide deep insight into the system’s risk.

If what you need is something more targeted or bespoke, this is no problem. For example, you may have recently rolled out a new login function and would like assurance over just this element. All our engagements are built around your requirements so let us know what you need.

Benefits

Assurance

Security Testing helps you gain assurance over your risk. Everything should be coded and configured correctly and securely but testing provides assurance that no mistakes have been made.

Compliance

Penetration Testing is required by a number of compliance standards such as PCI DSS. Our security testing services can help you achieve or maintain compliance.

Cost Effective

Sensible rates, a pragmatic approach and recommendations that make a difference all add up to a cost effective overall solution. Take advantage of a Managed Security Testing contract and see even better return on your investment.

Continual Improvement

Each report contains a root cause analysis and, if you take a Managed Security Testing contract we can help you implement a continuous improvement cycle focused on your specific problem areas.

What To Expect

Scoping

A typical engagement process flow can be seen here. The most important part when considering a penetration test is getting the scope right.

In some cases this is relatively simple as it may be you require a test of a single system or application whose boundaries are clearly defined. In other cases the scope will be more complex. A good example of this is when conducting a penetration test to meet PCI DSS requirement 11.3 which will need us to verify the scope for testing actually covers all in-scope systems.

For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed. A link to this can be found in the Resources section below.

Delivery

Communication is key to the delivery of a good security testing engagement. You will be assigned a project lead who will handle all of the logistics of testing with you and give you one point of contact should you need to discuss anything. We will keep you updated throughout testing as required and a free-of-charge wash-up call between our consultants and relevant parties from your organisation can be scheduled once you have reviewed the detailed report provided. This gives you the opportunity to discuss the findings and recommendations in more detail and evaluate further your best course of action.

Application Security Testing with Source Code

Earlier we highlighted the different testing levels we typically work to – Opportunistic, Standard and Advanced – but, when it comes to application security testing there is always the option to provide us with access to the source code during the test.

Often referred to as white box testing this enables our consultants to achieve far wider and deeper coverage of an application in the same amount of time. This is because suspected issues can be verified more quickly and searched for in other parts of the code. The majority of tests we conduct these days are performed in this manner.

Source code is stored in accordance with our ISO27001 information security requirements and is securely deleted once the engagement has completed.

1

Pre-Test

  • Confirmation of scope
  • Escalation process agreed
  • Test Authorisation
  • Communication requirements agreed
2

Testing

  • Enumeration
  • Vulnerability Identification
  • Exploitation
  • Post-Exploitation
  • Regular Testing Updates As Agreed
3

Reporting

  • Report Completed By Lead Tester
  • Issues Rated By Impact & Exploitability
  • Root Cause Analysis
  • Internal QA Prior To Issue
4

Review

  • Optional Wash-up Call
  • Post-Test Support For Recommendations
  • Arrange Re-testing If Required

Client Stories

4ARMED’s knowledge of programming has also helped them identify issues in our code and suggest reasonable remediation steps, which have been gratefully received. The reports delivered at the end of a test are top notch, and have enough technical detail to identify issues and solutions quickly, while still being formatted and worded in such a way as to not confuse the reader.

Tom

Developer at SaaS Learning Platform

App, Mobile and Infrastructure Penetration Test

Online Financial Services Company

App, Mobile and Infrastructure Penetration Test

Agricultural Levy Organisation

Resources

Security Testing Scoping Form

Next Steps

Want to discuss your requirements further? Wondering whether Application Penetration Testing is right for your business? There's an easy way to find out, give us a call or complete this handy contact form to tell us where you're at and we will work with you to find the best solution for you.
+44 (0)203 475 2443 sales@4armed.com
4ARMED Limited
3 Warren Yard, Warren Park, Stratford Road, MILTON KEYNES MK12 5NW, England