Application Penetration Test - Tier 1
Application Penetration Test - Tier 1
This package is suitable for Small corporate web sites and simple web applications. We'll perform the automated scan of your web site using the various vulnerability scanners and our security analysts verify the issues to eluminate the false positives.
Unauthenticated Web Site Scan Methodology
Lean Security conducts an unauthenticated automated web application security scan to identify common security issues that might be exploited by hackers in order to compromise the application. The methodology is aligned with the best practices from NIST and OWASP.
Main features and benefits:
- Cost effective way to quickly assess the security of a website
- Fast turnaround due to automated security assessment
- Reduces security risks and improves the compliance by identifying and fixing the Top 10 OWASP security issues
- Fully managed security scan requires less internal resources to execute and remove false positives
The scan is executed based on the following steps:
Step 1. Target reconnaissance (Limited)
The Lean Security engineer will receive the information about the target you would like to assess. The information includes the web application URL, business criticalities etc. The engineer will then manually connect to the target to confirm that the website can be reached and scanned. The engineer will also do a sample check of the pages and subfolder to make sure the target website operates correctly. During this step, the engineer will also determine the backend technology used for the web application (Wordpress CMS, Drupal, Joomla, commercial CMS etc).
Step 2. Web Application Scanner configuration and Tweaking
Lean Security uses multiple web application security scanners to assess the security of the web application. The list of scanners includes both commercial and freeware security tools used by both security professionals and hackers. This step is essential to make sure the scanner covers the whole application and that every page is assessed for the security issues. The engineer will also tweak the scanner depending on the website technology and framework (ASP.NET, PHP, AJAX etc)
Step 3. Automated website crawling
The Lean Security engineer will instruct the web application scanner to crawl the website and determine which pages are available to an unauthenticated user. The web app scanner will then visit every page of the website and determine the site tree. Next, the engineer will verify the site tree by making the sample checks and manually browsing the target web application.
Step 4. Unauthenticated Web Vulnerability Scan
The engineer will then start the automated security scan to determine the security issues on the identified pages. The scanner will test all the web page inputs for the common web application vulnerabilities, such as SQL injection, Cross Site Scripting (XSS), Cross Frame Scripting, Local File inclusions (LFI), Remote File inclusions (RFI), default directories and many other website security issues. The scan will be executed in a controlled manner and only introduce minimal performance impact on your web application.
Step 5. Results Review and False Positives Removal
The automated website vulnerability scanners often produce a lot of false positives. The Lean Security engineer will manually inspect and validate the security issues to remove those false positives. This step also helps us tweak the system to minimise the occurrence of false positives in future scans.
Step 6. Final Results Publishing.
When the web application scan is completed and the false positives are removed, the results are published on Lean Security customers’ secure Cloud based dashboard. The customers can log in online and review the results of their security assessment. The dashboard allows the customers to export the results to CSV, PDF or HTML format for offline distribution.