“Years of experience have taught me that it’s not easy to find a Pen Testing service which provides insightful advice in an engaging way, whilst providing value for money. Discovering Ambersail has certainly proven to be the exception that proves the rule! I won’t be looking elsewhere in a hurry.”
Head of ICT – Hillarys Blinds
Is Application Penetration Testing For You?
There are many reasons why an organisation needs to test.
Best practice. A new web application is about to Go Live. A company needs the reassurance that there are no significant security issues that can be exploited.
Compliance. A company needs to perform penetration testing on its networks and assets as part of regulatory requirements. Ensuring they get compliant and avoid fines or penalties.
Commercial. Technology providers such as application developers need independent security verification of their products to provide to their clients.
Recovery. Companies that have already fallen victim to hacking attacks and need to demonstrate weaknesses are now fixed.
Application Penetration Testing is widely regarded as an important tool used to identify and remove serious security weaknesses from web applications.
Testing That Is Affordable And Straightforward
Application Penetration Testing should not be a complicated process.
On contacting us we can quickly understand what needs to be tested. You will then receive a clear work schedule with costs.
If you need a one-off test. Fine. If you need more regular testing. Fine. It is up to you.
When you use Ambersail you can expect:
- Testing to be performed by our UK based, CREST accredited test team. Testing applications since 2002.
- No Fuss. No complicated extras. Straightforward, competitive prices.
- Testing performed to meet your timescales. We are ready to go when you need us.
- Only testing what is in scope. You’ll get honest and clear advice.
- You’ll get easy access to our CREST test team. Where you can speak to a real person.
- Easy to understand reports with clear advice on what to do next.
- Walkthroughs of results and retests to confirm fixes have been made.
Contact us to get started.
Need To Know More On How We Do Things?
Testing consists of three stages…
We initially spend time understanding how each application is built. This includes identifying components such as web servers, databases, web application firewalls and load balancers. This understanding creates a blueprint for the next stage of testing.
At this stage, our test team understands the structure of the web application and any supporting technology. Time is now spent understanding how the application works, what business functions it supports. How authentication, authorisation and access control mechanisms are implemented.
With a detailed understanding of the application, our attention turns to identifying vulnerabilities. Often, simple manual tests carried out by intercepting and modifying web traffic can reveal a wealth of useful information that enables a significant exploit to be constructed and executed. This can hightlight failures in authentication, authorisation and access control schemes. Leakage of information useful to an attacker or failure to sufficiently validate input before processing it.
What is an Application Penetration Test?
It is a security assessment of an application. Normally a web application such as an Ecommerce site. Its aim is to identify any security weaknesses that can be exploited by hackers.
Why test? Often to assess the security of new applications being developed that process sensitive data. Needing to meet compliance requirements such as PCI DSS or ISO 27001. A recognised independent security test to reassure organisations purchasing the application.
Any web application may be targeted by criminals. Many web sites provide access to valuable data such as credit card details, personal information or intellectual property.
A common part of application penetration testing is understanding how the application deals with data entered by the user. This is known as Input Validation. If the application cannot filter out unexpected input, it can potentially be controlled by the hacker. Other problem areas identified during a test include weak passwords and poorly implemented access controls. A trusted resource for understanding what can go wrong is provided by OWASP.
Application Penetration Testing is not an automated process. Criminals and hackers are often well skilled, so the same approach should be used when performing an application penetration test. This means using experienced testers to ensure a thorough assessment.
Testing results should clearly show what is wrong and offer actionable, easy to understand advice on how to fix issues.