According to the reports of various independent software testing companies which provide various software testing services, including pen testing service, more than a quarter of vulnerabilities fall on the problems of web application security. Unlike operating systems that are used in corporate networks, web applications are created inside the company and don’t pass such a rigorous quality control as wide-spread products. On the other hand, it is much easier to detect defects in web applications and in this regard, “hacking through port 80” is one of the popular tools in attacker arsenal.
In order to identify the maximal amount of defects and establish some preventing measures of their occurrence, testers perform penetration testing services, deep analysis of all aspects connecting to app realization. Penetration testing as a service provides a full analysis and assessment of application security. Testers analyze all components of a web application: design, networking, OS configuration, external data sources, information repositories, authorization and authentication mechanisms, server and client components.
Work sequence is the following:
- Identifying of a method for a further web application analysis.
- The selection of vulnerabilities for identifying actions that might be performed by the hacker.
- The performance of coordinated attacks that were reconciled with the customer.
Report should contain the following issues:
- Overall assessment of the web application security.
- Test procedure.
- Information about detected vulnerabilities.
- Results of exploitation of several critical vulnerabilities.
- Recommendations on the vulnerabilities elimination.
- Formation of the analytics report and recommendations on vulnerabilities elimination.