We will undertake an in-depth technical penetration test of your custom application through a combination of active testing of the deployed application and source code review.

Using manual and automated testing, our pen-tester will first test for the presence of security best practices, such as appropriate content security policies and authentication processes. These give the defence-in-depth that helps to mitigate the impact when attackers exploit undetected vulnerabilities. We use the guidance from the Open Web Application Security Project as our baseline, combined with the judgment of our CyberSecurity Analysts.

Our testing will attempt to discover coding or flaws that result in actual vulnerabilities. These could allow an attacker to affect the application’s confidentiality, integrity or availability.

Example findings might be Cross-Site Scripting (XSS), SQL Injection or XXE.

Our assessments include the following broad areas of investigation:

1. Access Control
2. API and Web Service
3. Authentication
4. Business Logic
5. Communications
6. Configuration
7. Data Protection
8. Error Handling and Logging
9. File and Resources
10. Malicious Code
11. Session Management
12. Stored Cryptography
13. Validation, Sanitisation and Encoding

Before we start any testing, we’ll agree on a formal testing Scope document with you. This will cover:

• the applications that are in-scope;
• the level of depth required (e.g. including or excluding authenticated users)
• any environment and URLs that will be used for testing
• any limitations on the extent of the testing (for example, if a production environment)
• availability of any source code

Once our testing is complete, we’ll provide you with a report with detailed findings, their impact, and how to fix them.