Web applications are usually the most exposed part of a company’s IT infrastructure.
Security Labs will test the application's endpoints and user supplied inputs and outputs as well as the underlying web server and its interactions with its database either by authorised access or by compromising the application or access controls. We take an offensive approach to simulate a real word attack of the application in scope.
This kind of testing will show the client if the Software Development Life Cycle (SDLC) implements secure coding practices, and if the applications security controls are effective, consistently applied and are working as expected.
Testing methods
Security Labs methodology includes, but is not limited to:
Web Application threat modelling including publicly accessible information.
Users horizontal and vertical access controls.
Authentication mechanisms, such as testing the life cycle for user sessions from creation to destruction.
Functionality of access controls.
Leaking Personally Identifiable Information (PII) to unauthorised users.
Conduct security research for previously undiscovered vulnerabilities.
The top ten OWASP vulnerabilities.
Testing approaches
Security Labs will approach the testing using the following method/s
Unauthenticated malicious external user.
Authenticated standard and administrative users.
Authenticated standard user(s).
Authenticated administrative user(s).
