Web applications penetration testing

Comsec’s Application Security Testing service includes testing web applications, mobile applications and thick client/client-server applications for vulnerabilities which could lead to data/network compromise or loss of availability. The team uses a similar approach, as shown below, in all cases although the speciﬁc tests will be customized based on the type of application being tested

The Challenge

We are seeing more and more organizations storing and relying on sensitive data and at the same time data privacy and protection regulations are becoming more widespread and strict. This means that the reputational and regulatory cost of a data breach should be a key concern to any organization which stores or works with sensitive data.

Application Security is a particular area where we are seeing a rapid increase in new vulnerabilities alongside a signiﬁcant shortage of skilled and experienced practitioners. Most organizations do not have the resources to discover and address these vulnerabilities which can endanger not just data stored by the speciﬁc application but other data assets on the same network,

As such, even companies with a strong security environment and architecture can be exposed to Application Security risk if they do not have a comprehensive Application Security Testing program (and Secure Development Lifecycle if relevant).

Our Approach

Comsec oers Application Security Testing on multiple technology stacks, to assist the organization to identify application vulnerabilities which could lead to data disclosure or tampering and simulate real-life attack scenarios against its products and internal/external facing applications.

We work with the client to identify the key risks to which the application exposes the organization, potential scenarios by which these risks could occur, demonstrate whether these scenarios are possible or not and provide assistance in mitigating the issue.

The ﬁnal report will include a high-level executive summary, an explanation of our methodology as well as detailed technical documentation of the ﬁndings. Every vulnerability is rated according to the likelihood of exploitation and the impact which is caused. The report will also contain mitigation recommendations per vulnerability to improve the component’s security level.

Why Comsec?

One of Comsec’s most unique values is that the security test is tailor-made to the client’s product. The team focuses on identifying the most critical risks and assets and ensuring they are considered throughout the testing phase. The team will always try to create a unique Proof of Concept exploit per vulnerability (whether it is a common vulnerability or not) in order to show the real business impact as an outcome.

Additional key points:

– Emphasis on a high standard of reporting with every report going through at least one separate quality review by another experienced consultant.

– Standardized testing plans to ensure that nothing is missed whilst allowing space for application speciﬁc tests.

– Careful consideration of the real risk with the ﬁnding risk rating taking into
account aggravating and mitigating factors.

– We don’t want to deliver a report and leave, we want to support the client with
how, where and when the ﬁxes should be made and to ensure that they get imple mented correctly.