ABOUT WEB APPLICATION PENETRATION TESTING
Web application pen-test is a specific type of security assessment that focuses on the security posture of web applications with an objective to identify, analyze and report the vulnerabilities found during the pen-test.
In this current era, most of the daily tasks can be performed online via web applications. Most of which bears a more critical content, containing highly confidential information and performs functions such as processing online transactions, hosting online banking systems, online education portals, etc.
In a business perspective, web application is essential for companies to perform e-business activities such as buying or selling products (e-commerce), supply chain management, electronic order processing, customer relationship management and many more.
Web Application Attack Frequency, Q3 2017
Based on this kind of pen-test, LGMS focuses on assessing the application layer of the web, looking into the requests and responses made when sending data to the web application and from the web server back to our web browsers.
According to Akamai, web application attacks have increase 69% in Q3 2017 when comparing to Q3 2016. Besides that, the top 3 web application attacks with the highest attack frequency are SQL injection (SQLi), Local File Inclusion (LFI) and Cross-site scripting (XSS).
Methodology Covered in Web Application Pen-test
For each passing year, Open Web Application Security Project (OWASP) releases the list that shows the top 10 web application security risks to the public. LGMS has incorporated this methodology together with our standard operating procedure to adhere to industry standards.
OWASP Top 10 Application Security Risks
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XEE)
- Broken Access Control
- Security Misconfiguration
- Cross-site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Is there a need for Pen-test? What can we offer?
As there are many companies nowadays hosting their own web applications to improve business efficiency and returns, web application pen-test has to be conducted in order to safeguard the company’s assets and information.
Additionally, we may never know where are these attacks vectors coming from and to be on the safe side, this pen-test provides us with sufficient information in potentially thwarting the attacks from both outsiders and insiders.
All in all, preventing a potential business loss or a major image defamation from web attacks is key and can be avoided when web application loopholes discovered from the pen-test are patched.