Securing web applications and web services in a cloud world

A web application and web service penetration test will seek to identify vulnerabilities present in the in-scope products. This broad coverage would typically include any application that is served over Hypertext Transfer Protocol (HTTP) and covers web sites with content that is accessible via a web browser, or via computer-to-computer transmissions through web services (e.g. via an API). Cloud technologies can also significantly increase the attack surface and hence exposure of a given deployment. As a result, it is imperative to check for the misconfigurations through which an attacker may initially attack and compromise a cloud environment and gain a foothold. i.e. resources and configuration which, if not correct, could potentially lead directly to the compromise of the environment or some data within it. Cloud environments use different technology and architectures when compared to on premise and data centre hosted implementations. This requires alternate testing approaches and authorisations to perform comprehensive testing under this shared responsibility and complex area. CyberCX has the experience to plan and execute tests that safeguard your sensitive information assets.

Locating the gaps through tooling and expertise

Automated web application test tools identify configuration issues and obvious vulnerabilities, but perform poorly when assessing application logic, authorisation, privilege escalation issues and implemented functionality from a security perspective. Extensive manual testing is conducted to bridge the gaps of automated testing and to validate vulnerabilities, eliminate false positives, and develop proof of concept exploits that allow for risks to be tangibly assessed. Our testing will simulate how a threat actor would attack deployed applications and systems through web-accessible interfaces and internet facing services. The presence of vulnerabilities is determined by directing a series of requests to a web application and evaluating the responses received. This allows CyberCX to precisely detect any active and exploitable vulnerabilities which may be present, circumvent business processes, and allow access to your data.

Industry standards and proprietary methods

CyberCX’s web application and web service penetration testing will encompass all issues covered within leading frameworks, such as OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Software Errors, among others. While these provide a sound foundation for identifying security vulnerabilities, further investigation is necessary to determine the full risk a threat actor may pose to you. As such, CyberCX may extend penetration testing activity to include aspects of multiple methodologies, including the OWASP testing guide (up to 94 tests), OWASP Application Security Verification Standard (up to 286 tests). CyberCX also utilises in-house methodologies to address custom testing requirements and ensuring critical functionality such a business logic is rigorously tested.