Securing business data

Application Testing

Web Application Testing

CNS tests a huge number of issues in application (broadly following the OWASP Guide Lines) it is not possible or appropriate to provide a full list or every issue tested but it will include (as examples) Cross Site Scripting, SQL Injection, Session ID Evaluation, Password Evaluation, Password Cracking, Information Leakage, Encryption Evaluation.

Organisations now use web applications to provide software to both internal users, remote users and customers. This means that access to some key systems and most importantly data is available to a large number of users and it is vital that it is security tested.

code maintenance

Service Description

A web application test involves an automated scan, which highlights common configuration vulnerabilities. However, automated testing does not give a complete overview of issues affecting web 
applications, so the tester will also visit the site manually and perform various functions. Testers will generally use the Firefox browser in conjunction with the OWASP ZAP tool, which analyses HTTP requests sent between the browser and the application, reporting on any interesting finds.

Testers will test the app according to the OWASP Top Ten vulnerabilities, which includes SQL Injection, Cross-site Scripting, and Unrestricted Access to certain files or directories. If certain known 
vulnerabilities in a commercial application are discovered, the tester will try to exploit the vulnerability, unless the vulnerability is known to cause Denial of Service issues. Once OWASP Top 10 are covered, testers will check for lesser known vulnerabilities which may still affect the application.

Generally, the tester will perform testing with different levels of credentials, preferably with access to two accounts at each level (e.g. unauthenticated, member access, admin access). As an unauthenticated user, the tester will try to authenticate without credentials, or gain access to functionality that should only be available to authenticated users. With an authenticated account, the tester will attempt to access or modify the details of other users.

security monitoring meeting

Process Overview

1. TOR - The Terms of Reference states what we will be doing, who exactly will be doing it, when, any exclusions, restrictions, etc.
2. Port Scan - We will scan the application IP address for possible TCP and UDP Ports. The scanning will be performed from our specialist secure data center.
3. Vulnerability Scanning - CNS will scan the application and active ports identified in the previous step with a number of automated tools, such as Nessus.
4. Unauthenticated Testing - CNS will perform unauthenticated testing of the web application, trying to find hidden directories or files.
5. Authenticated Testing - CNS will map out the functionality of the application, and attempt to gain access or modify data on other accounts.
6. Unauthenticated Re-testing - With the knowledge of the authenticated functionality, CNS will attempt to use the same functionality from an unauthenticated user again.
7. Documentation - CNS will then document all results and issues identified, providing a detailed executive summary, results table, statistics page, and detailed technical explanation for each page.
8. Quality Assurance - The report will be passed through our internal QA process multiple times, where a second senior tester will review the report and identify issues. The report will then be passed to the testing manager for a final review.
9. Report Release - The report will then be provided to the client using the chosen method, by default this will be on an encrypted CD sent via registered post.
10. Optional Retest - As an optional extra, CNS can conduct further testing to verify any fixes applied.
11. Post Testing Debriefing - CNS will then conduct a debriefing for the client.

Enterprise Application Testing

CNS tests a huge number of enterprise application such as SAP or Oracle as well. We also test some very specialist applications such as SCADA with its own proprietary protocols...

Get in touch

Talk to our experts today
call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere