Penetration Testing

What is a Web Application Penetration Test?
Penetration Testing is the testing technique to expose security vulnerabilities within a system and to simulate an attack to exploit the exposed vulnerabilities. A Web Application Penetration Test focuses mainly on exposing and exploiting vulnerabilities at the application layer.

What is involved in a Web Application Penetration Test?
A Web Application Penetration Test involves an active analysis of your website highlighting potential vulnerabilities that could be exploited to compromise the security of your system. These vulnerabilities may include programming errors and design flaws. At the end of the test, identified vulnerabilities are presented to the system owner along with their risk level and remediation advice.

Who needs a Web Application Penetration Test?
Any system that handles sensitive company information, users’ personal information or payment related information must undergo a penetration test to meet mandatory regulatory and compliance requirements. Companies also commission a penetration test to show due diligence for security and to enhance their brand image.

But I am only a small company. Why would someone bother attacking my website?
Over 70% of Internet attacks occur through vulnerable web applications. All these attacks are not targeted attacks. Attackers crawl the Internet indiscriminately to find vulnerable websites and use these websites to spread malware or to attack other Internet users. If this happens, your website may be blacklisted or even removed by your ISP.

But I use SSL and therefore my website is secure? Why do I need a Web Application Penetration Test?
SSL does not protect against all types of attacks. It does not mean that SSL is flawed. It does its job well at protecting what it is supposed to protect, but there are many other areas that are also checked during a web application penetration test, such as Authentication, Access Control, Session Management, Input Validation and Business Logic.

What benefits does my business get?
A properly commissioned web application penetration test would help you to prevent financial loss through fraud and to meet mandatory regulatory and compliance requirements. It also helps you to protect your company against industrial espionage and shows to your customers and stakeholders that you have taken due diligence in protecting your company information and their sensitive information.

What is the best time to get the Web Application Penetration Test done?
It is highly recommended to get the testing done within the UAT environment so that there is enough time to fix the vulnerabilities before going live. Another test should be conducted after the website goes live to ensure that no new vulnerabilities have been introduced during switchover or no backdoors have been left open in the live environment.

How often should the test be conducted on my website?
It is highly recommended to carry a web application penetration test once a year to ensure that your application is protected against new threats that have emerged over the year. For systems handling highly sensitive information, a penetration test is recommended once every six months.

How is the Web Application Penetration Test conducted?
Please check our Web Application Security Testing section for more information on our testing methodology.

What can I expect to receive after the test?
A highly customised and actionable report tailored to your business needs is produced at the end of every test to include high level management summary, vulnerability details highlighting potential risks to your business and remediation advice.

What support is provided after the test?
Post-test Conference: A post-test conference with management and technical personnel may be arranged to ensure that the risks and mitigation advice are understood thoroughly. We also offer an on-going phone and email support during mitigation.

Re-test: A re-test may be arranged to ensure the vulnerabilities have been fixed and no new vulnerabilities have been introduced post mitigation.

Why should I consider your services over other large and established service providers?
Our small size allows us to work with few key clients to offer a high quality service and to give our personal attention to every project we work on, which is the key to our business success. Not only that, with us you gain access to our technical expertise that has been gained over a decade of industry experience by working with many FTSE-100 and Fortune-500 clients.