Web Application Security Testing
Comsec offers Web Application Security Testing on multiple technology stacks, to assist the organization in identifying application vulnerabilities which could lead to data disclosure or tampering and simulate real-life attack scenarios against its products and internal/external facing applications.
We work with the client to identify the key risks to which the application exposes the organization, potential scenarios by which these risks could occur, demonstrate whether these scenarios are possible or not and provide assistance in mitigating the issue.
The final report will include a high-level executive summary, an explanation of our methodology as well as detailed technical documentation of the findings. Every vulnerability is rated according to the likelihood of exploitation and its potential impact. The report will also contain mitigation recommendations per vulnerability to improve the component’s security level.
We are seeing more and more organizations storing and relying on sensitive data and at the same time data privacy and protection regulations are becoming more widespread and stricter. This means that the reputational and regulatory cost of a data breach should be a key concern to any organization which stores or works with sensitive data.
Application Security is a specific area where we are seeing a rapid increase in new vulnerabilities alongside a significant shortage of skilled and experienced practitioners. Most organizations do not have the resources to discover and address these vulnerabilities, which can endanger not only data stored by the specific application but other data assets on the same network.
Comsec’s Application Security Testing service includes testing web applications, mobile applications and thick client/client-server applications for vulnerabilities which could lead to data/network compromise or loss of availability. The team uses a similar approach, as shown below, in all cases- although the specific tests are customized based on the type of application being tested.
One of Comsec’s most unique values is that the security test is tailor-made to fit the client’s product. The team focuses on identifying the most critical risks and assets and ensuring they are considered throughout the testing phase. The team will always try to create a unique Proof of Concept exploit per vulnerability (whether it is a common vulnerability or not) in order to show the real business impact as an outcome.
Additional key points:
■ Emphasis on a high standard of reporting with every report going through at least one separate quality review by another experienced consultant.
■ Standardized testing plans based on standards such as the OWASP Testing Guide but customized to our needs to ensure that nothing is missed whilst allowing space for application-specific tests.
■ Careful consideration of the real risk with the finding risk rating taking into account aggravating and mitigating factors.
■ We don’t want to deliver a report and leave, we want to support the client with how, where and when the fixes should be applied and to ensure that they get implemented correctly.