Application Penetration Test - Tier 2
Application Penetration Test - Tier 2
This package is suitable for Mid size corporate web sites with the Data Collection function and simple web application (booking site, members' sections etc). The service includes the manual and the automated testing of the web site to discover the security issues.
Authenticated Web Site Scan Methodology
Lean Security developed a unique and comprehensive web application security assessment methodology which will help businesses assess the security of their digital assets. The methodology is aligned with the best practices from NIST and OWASP.
Main features and benefits:
- Fully managed security assessment which helps businesses reduce the security risks and improves compliance
- The methodology includes automated and manual security testing for complete coverage
- Fast turnaround due to optimised testing processes and the usage of advanced technologies
The scan is executed based on the following steps:
Step 1. Target reconnaissance.
The Lean Security engineer will receive the information about the target you would like to assess. The information includes the web application URL, business criticalities etc. The engineer will then be manually connected to the target to confirm that the website can be reached and scanned. The engineer will also do a sample check of the pages and subfolder to make sure the target web site operates correctly. During this step, the engineer will also determine the back-end technology used for the web application (Wordpress CMS, Drupal, Joomla, commercial CMS etc). In addition to this, the security engineer will is able to manually explore the application and map the business functions it executes and the processes it supports.
Step 2. Web Application Scanner Configuration and Tweaking
Lean Security uses multiple web application security scanners to assess the security of the web application. The list of scanners includes both commercial and freeware security tools used by both security professionals and hackers. This step is essential to make sure the scanner covers the whole application and every page is assessed for the security issues. The engineer will also tweak the scanner depending on the website technology and framework (ASP.NET, PHP, AJAX etc). The web scanner configuration is a labour-intensive process and our engineers have used their extensive experience and knowledge of the web application issues to optimise the scan performance.
Step 3. Automated Web Site Crawling
The Lean Security engineer will instruct the web application scanner to crawl the website and determine which pages are available to an unauthenticated user. The web app scanner will then visit every page of the website and determine the site tree.
Step 4. Manual Web Site Crawling
The security engineer will review the site tree that was built during the automated website crawling and then manually verify it. The engineer will also manually crawl the website and determine the areas which were not checked by the automated scanner. If a target application contains authentication forms or restricted areas, the engineer will manually log in and make sure the restricted areas are crawled and added to the site tree as well.
Step 5. Automated unauthenticated web vulnerability scan.
The engineer will then start the automated security scan to determine the security issues on the identified pages. The scanner will test all the web page inputs for the common web application vulnerabilities, such as SQL injection, Cross Site Scripting (XSS), Cross Frame Scripting, Local File inclusions (LFI), Remote File inclusions (RFI), default directories and many other web site security issues. The scan will be executed in a controlled manner and only introduce minimal performance impact on your web application.
Step 6. Automated authenticated web vulnerability scan.
The Lean Security tester will then perform the automated security test on the parts of the target web application that requires logging in. The examples include membership areas, online booking areas, data collection forms, promotion websites etc. The scan is controlled to ensure that minimum impact is done on the production system or the server infrastructure.
Step 7. Manual web vulnerability testing.
This step includes the actions and tests to identify the vulnerabilities not picked up by the automated security scanner. The engineer will use the custom written tools and manual testing to fuzz the application and determine the loopholes in the application's logic. The tests will take into consideration the application's functions and business processes. The common issues identified during this step are the password management issues, the account lifecycle management issues, the access control issues, application restrictions bypass etc.
Step 8. Results Review, Triage and False Positives Removal
The automated website vulnerability scanners often produce a lot of false positives. The Lean Security engineer will manually inspect and validate the security issues to remove those false positives. The Lean Security engineer will also perform a triage of the security findings to determine the likelihood, impact and security risk of the identified security issue. This step also helps us tweak the system to minimise the occurrence of false positives in future scans.
Step 9. Publishing the results.
When the web application scan is completed and the false positives are removed, the results are published on the Lean Security customers’ secure Cloud based dashboard. The customers can log in online and review the results of their security assessment. The dashboard allows the customers to export the results to a CSV, PDF or HTML format for offline distribution.