Application penetration testing services is a mixed approach of automated and manual technical security assessment. The workflow is to identify all the common vulnerabilities indicated by OWASP (Open Web Application Security Project) or SANS standards.

​

The application security assessment service offering covers web applications, web services and thick client applications.

​

Stage 1 - Application Profiling: In this stage, profiling of the target web application is performed by identifying user entry points, understanding the core security mechanisms employed by the application, interfaces to external or internal applications, identifying roles with varying trust levels and determining the data flow path with indication on privilege boundaries.

​

Stage 2 - Automated Application Security Scanning: Automated application vulnerability scanners (i.e. commercial and/or open-source) are used to scan for application specific vulnerabilities covering all OWASP, SANS etc. references.

​

Stage 3 - Application Vulnerability Determination: This phase involves a complete hybrid approach to identifying web application security vulnerabilities with automated tools and scripts, along with manual assessment, to eliminate false positives and negatives. Manual assessment uses various vulnerability databases to identify vulnerabilities that were missed during automated scans, in addition to security verification of business logic flaws, broken access controls and more.

​

Stage 4 - Application Vulnerability Proof of Concept: The primary focus in this phase is on using manual security testing techniques to exploit the systems that include several exploits to assess the application hardening measures, cryptography issues, authentication and authorization controls, session management modules, business logic flaws and various validation measures. Attack scenarios for production environment will use a combination of exploit payloads in strict accordance with agreed rules of engagement.

​

Stage 5 - Reporting: All exploitable security vulnerabilities in the target web application are recorded with their risk scores and are reported to the client. The identified security vulnerability is assessed thoroughly and reported along with appropriate recommendation or mitigation measures.

​

Stage 6 - Remediation Consultation & Reassessment: Remediation consultation involves assisting the client’s platform team to remediate all reported application security vulnerabilities. Post remediation, a reassessment is conducted to validate the effectiveness of the application security countermeasures used in mitigating the reported security vulnerabilities.