Website and Application-Layer Penetration Testing

SystemExperts’ Website and Application-Layer Penetration Testing is intended to identify vulnerabilities and misconfigurations in an application environment to ensure your systems are as secure as possible. Our methodologies include elements from several established testing models including:

  • National Institute of Standards and Technology (NIST) Special Publication 800-42 “Guideline on Network Security Testing”
  • Open Source Security Testing Methodology Manual (OSSTMM)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Open Web Application Security Project (OWASP) Testing Guide

SystemExperts leverages commercial, open source, and our own proprietary tools and code throughout each assessment. Given the diverse nature and complexity of custom application environments, our team performs a customized in-depth assessment and documents its findings in a comprehensive but easy-to-digest report that includes steps to reproduce each vulnerability.

 

Web Application Vulnerability Test

SystemExperts’ Web Application Vulnerability Test is a security evaluation of a web application and its supporting front-end infrastructure (i.e., those services available to the normal client). Two scenarios are usually performed: as an authenticated and authorized user and as an unauthenticated user. This process helps us develop a general sense of the level of security exposure and risk with the application. The team assesses the target web application environment to ascertain and document detailed vulnerabilities, steps to reproduce, and recommendations.

SystemExperts’ Web Application Vulnerability Test is intended to answer the following business questions:

  • Are the website, webserver, and back-end services reasonably secure as configured and deployed?
  • Are there readily found exposures that an intruder could take advantage of without having to log in?
  • Can an unauthorized user access data that is intended only for authorized users?
  • Can an authorized user perform inappropriate actions on his own account?
  • Can a user obtain any information about the accounts of other users?
  • Can a user perform any actions on the accounts of other users?

 

Mobile Application Vulnerability Test

SystemExperts’ Mobile Application Vulnerability Test is a security evaluation in which we look to exploit deficiencies in the mobile application and related API communications. In some cases, we may uncover sensitive application data stored insecurely on the device, escalate privileges, or identify instances where private data may be exposed.

SystemExperts’ Mobile Application Vulnerability Test includes, but it not limited to:

  • Reviewing security settings, configurations, and storage utilized by the mobile application
  • Identifying instances where private data may be exposed or stored insecurely
  • Reviewing associated backend APIs supporting the application
  • Determining if the application creates security risks to any back-end application services or network resources
  • Reviewing binaries associated with the mobile application to determine if appropriate supporting security APIs and functions are in use

SystemExperts documents its findings in an easy to understand report that details vulnerabilities, steps to reproduce, and recommendations.

 

Website Security Review

The SystemExperts’ Website Security Review is a security evaluation of a web application environment that does not require user authentication. This allows us to develop a sense of security exposure and risk in the web front-end infrastructure and associated web application.

SystemExperts’ Website Security Review is intended to answer the following business questions:

  • Is the website reasonably configured and deployed? (e.g., Do default web server administrative interfaces allow a user the opportunity to deface the webpage?)
  • Are there readily found exposures that an intruder could take advantage of without having to log in? (e.g., Does poor form input validation allow a determined intruder to execute an injection exploit like cross-site scripting or SQL command injections?)