Web Application Security Testing

The term “Penetration Test” or “Pen Test” is becoming a catch all phrase that is often misused and misunderstood. A full Penetration Test is often unjustified and not required. A Penetration Test is more often than not a covert operation, and realistically the covert factor of the application testing process brings little added value but raises the clients costs.

A security assessment which IS NOT the same as a penetration test can bring tangible security and value at a lower cost to your Web Application.

The following is based on the client electing for the Option 2 Security Testing option as described on our Services and Solutions page.

The testing ratio is 75% manual and 25% automated.

OIC Solutions undertakes Security Assessments and Reporting of Web Applications at short notice for their clients. Testing is performed by a skilled, qualified and experienced tester who adheres to the highest ethical standards and follow recognised methodical testing frameworks.

OIC Solutions base their testing service on the following highly respected and comprehensive frameworks.

As described on our services and solution page we offer two comprehensive testing framework options the first is the “classic” OWASP 10 Top 2017 & SANS/CWE Top 25 Most Dangerous Software Errors and the second is the “cutting edge” Level 1 Application Security Verification Standard (ASVS).

The “classic” testing has 144 individual tests. The “cutting edge” ASVS testing has 133 individual tests.

OIC Solutions base their testing on the following highly respected and comprehensive frameworks.

What specific tests are included?

“Classic” Testing

  • The 144 tests individually form the basis of the larger testing categories. We are not going disclose the 144 tests publicly, but examples of specific tests within specific categories are
    • Platform Architecture
      • Total specific tests 10
      • Example test
        • Extraneous open TCP / IP Ports
    • Server Configuration
      • Total specific tests 13
      • Example test
        • Anonymous FTP uploads
    • Configuration SSL/TLS
      • Total specific tests 13
      • Example test
        • Heartbleed attack
    • Application Architecture
      • Total specific tests 22
      • Example test
        • CSRF vulnerability testing
    • Information Leaks
      • Total specific tests 22
      • Example test
        • Accessible backup files
    • Authentication
      • Total specific tests 16
      • Example test
        • Brute-force attack login form
    • Session Management
      • Total specific tests 16
      • Example test
        • Session IDs in URLs
    • Authorisation
      • Total specific tests 4
      • Example test
        • Authorisation checks functionality
    • User Input
      • Total specific tests 24
      • Example tests
        • Cross Site Scripting XSS
        • SQL Injection
    • File Handling
      • Total specific tests 6
      • Example test
        • Path Traversal
    • Any other security related findings

“Cutting Edge” ASVS Level 1 Testing

  • The 133 tests individually form the basis of the larger testing categories. Unlike the “classic” option the “cutting edge” ASVS is fully open source. Examples of specific tests within specific categories are
    • Authentication Verification
    • Session Management
      • Total specific tests 13
      • Example test
    • Access Control
      • Total specific tests 10
      • Example test
    • Validation, Sanitisation and Encoding
    • Stored Cryptography
      • Total specific tests 1
      • Example test
        • Verify that cryptographic modules fail securely and do not enable Padding Oracle attacks.
    • Error Handling and Logging
      • Total specific tests 3
      • Example test
        • Verify that the application does not perform logging of credentials or payment details.
    • Data Protection
      • Total specific tests 7
      • Example test
        • Verify that sensitive data is not cached by the Internet Browser.
    • Communications
      • Total specific tests 3
      • Example test
        • Verify that call client connectivity uses secured TLS and that it does not fall back to insecure of unencrypted protocols.
    • Malicious Code
      • Total specific tests 3
      • Example test
    • Business Logic
      • Total specific tests 5
      • Example test
    • File and Resources
    • API and Web Service
    • Configuration
      • Total specific tests 16
      • Example test
        • Verify that all unneeded features, samples, default files and user accounts have been removed.
    • Any other security related findings

More information about the ASVS Level 1 can be found in our Blog here.

As you can see from the lists above, we believe that if there are any serious security issues with your web application, we will identify them before malicious actors do.

If you compare the “classic” to the “cutting edge” testing frameworks you can see how the focus of testing has moved. In the “cutting edge” ASVS there is a larger consideration towards Authentication and Passwords, known as “memorised secrets” in ASVS parlance than in the “classic”.

In the “classic” there is more emphasis on the backend Web Server than in the “cutting edge”. This is because the “classic” is more about the overall picture and the “cutting edge” has it´s focus more on the front end. But both testing frameworks comprehensively cover the most common application vulnerabilities such as Sql Injection and XSS.

The testing costs are the same so we have no vested interest in pushing one framework over the other. In the future the “Cutting Edge” framework will become the accepted standard, but that won´t be for at least 2 years and until then the “classic” is still modern and comprehensive enough for your web application.

The choice of framework would largely depend on how modern your web application is. If for example you don´t support MFA, passwords with spaces, 60+ character passwords, then we would advise opting for the “classic” test.

A key point to remember is that any security analysis and testing represents a moment in time. New vulnerabilities are discovered “in the wild” and new proof of concept exploits are developed and released. Your Web Application evolves over time and can have new vulnerabilities introduced through simple misconfigurations or lack of patching and software updating.

Quite often potential clients request to see previous test reports before engaging us in a project.

OIC Solutions will never show your report to other people in an attempt to win business, that is just not acceptable behavior.

Below are some screen shots from our template Security Assessment Report documents from both the “classic” and the “cutting edge”.

We are not prepared to post the full document online because it has real world monetary value.

OIC Solutions is willing to send you a .pdf copy of a full template report via email if you would like to contact us at info@oicsolutions.co.uk

“Classic” Testing Report Screenshots

“Cutting Edge” ASVS Testing Report Screenshots

Summary
Service Type
web application security testing
Provider Name
OIC Solutions, Telephone No.44 207 993 2239
Area
global
Description
The term “Penetration Test” or “Pen Test” is becoming a catch all phrase that is often misused and misunderstood. A full Penetration Test is often unjustified and not required. A Penetration Test is more often than not a covert operation, and realistically the covert factor of the application testing process brings little added value but raises the clients costs.
Phone +44 (0) 207 993 2239 E-mail info@oicsolutions.co.uk
%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close