Who is this service for?
This service is aimed at a Web Application with or without additional development work but which is fundamentally based on an “off the shelf” product such as WordPress.
Why would I need this service?
This service allows you to preemptively identify and address any existing website application security issues. It would also demonstrate to clients that your website application is secure enough not to be easily hacked and used to host Malware which in turn could infect them. It protects your reputation as it reduces the chances of your website application being hacked and defaced. If you have security weaknesses you could end up being locked out of your own website application, losing a customer database or having the entire website application vindictively deleted.
How long does it take?
Up to 5 working days to test and report.
How much does it cost?
The total cost is £950 – 1/3 Deposit is required before the commencement of work.
The report will provide advice for remediation and hardening of any identified issues and vulnerabilities.
The number of issues identified that require remediation, retesting and re-reporting will define whether a second contract will be required.
As a rule of thumb if <= 7 individual issues need remediation and retesting OIC Solutions will undertake this work as part of the original contract agreement and cost.
What is the deliverable product?
A comprehensive human written report detailing discovered vulnerabilities & insecurities, their seriousness in plain English as it relates to the real world and how a malicious attacker could leverage them to harm you.
This testing service offers a technical IT Security solution for your organisation. But it offers very little with regards to securing your company against the most likely weakest link in the IT security chain – your staff. A harsh but true reality.
Additional product for FREE!!!
OIC Solutions supplies all clients of this service with a 20+ page PDF copy of a User IT FAQ Document that forms the basis of our Staff IT Security Training material. Companies pay £400 for a half day training session based on this material and it’s completely free to you. Further information and screen shots of this documentation are available in our blog post here.
Specific tools and processes used as part of this testing service.
- Using WPScan we identify and report on user accounts, vulnerable or out of date Plugins, Themes or WordPress versions.
- Using Nikto we report vulnerabilities on your Web Application or Web Server.
- Using BurpSuite PRO and OWASP-ZAP we are able to discover & report on hundreds of potential vulnerabilities including SQL Injection, XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery) and too many more to list here.
- We identify Open TCP & UDP Ports on your Web Server. Maybe you have more than only ports 80 & 443 open may unwittingly be inviting malicious attackers to connect to and investigate for weaknesses. You could also be at risk of allowing your Web Server to act as an email relay for Spammers and risk your Domain email being Black Listed.
- We identify Directories and Files that should not be publicly accessible.
- We undertake SSL/TLS “HTTPS” Encryption Certificate quality assurance checks using various resources.
- Some more specific WordPress related security issues and tests are detailed in our blog post here.
- Any other unplanned tests or investigations that arouse suspicion or curiosity along the way.
- Advice about the general hardening of your web server and the software it is running.
This service is loosely based on the OWASP Top 10 & the Level 1 standard from the Application Security Verification Standard (ASVS) but it is not as comprehensive as reflected in the time scales and costs.
If your web application has been custom created and/or is the main revenue generating source for your company we would advise commissioning the more comprehensive Web Application Security Testing Service described here.
If you do not wish to make a financial commitment directly to OIC Solutions before the commencement of this Web Application Security Analysis testing service UpWork.com can act as a secure Escrow service provider. This offers clients protection against potentially unfulfilled work and OIC Solutions protection against potential bad debts. However, this does make the service more expensive.
You can find our Upwork profile here, you can also view previous client feedback at the same time.
You can contact us here, at firstname.lastname@example.org or on +44 (0) 207 993 2239.
More client feedback is available to view here.