This is the same as external penetration testing but we test for exploits specific to web applications such as SQL injection, cross-site scripting, directory traversal, etc. All work is performed according to the OWASP Top Ten framework.
All organizations are subject and vulnerable to threats. Risks to critical information assets may be intentional or negligent, they may come from seasoned criminals or careless employees, they may cause minor inconveniences or extended service disruption, and they may result in severe financial penalties, loss of public trust and damage to corporate reputation.
OWASP penetration testing is the process of evaluating the implementation of security controls for web applications by simulating real-world attacks. Regular penetration testing is intended to identify weaknesses in security measures and is one component of a comprehensive security program.
The objectives of this initiative are as follows:
- Identify weaknesses, vulnerabilities and exploits in the organization’s web application(s).
- Improve the overall security posture of the organization – Penetration Testing plays a critical role in an organization’s ability to defend against security threats.
- Reduce organizational risk – Vulnerability scanning (attack surface reconnaissance) can identify vulnerabilities and exploits in an organization’s web application(s).
- Support compliance – Penetration Testing can satisfy organization’s regulatory, commercial and organizational compliance requirements (see Regulatory Compliance section below).
- Test security investments – Penetration Testing measures the effectiveness of the security controls that are currently in place.
Based on the globally-recognized OWASP standard for web application penetration testing, this exercise will identify weaknesses, vulnerabilities, and exploits in the web application(s) identified in the scope of the project.
Prior to the actual web application penetration test, Info Advantage will work with the organization to ensure that a risk mitigation plan reduce potential downtime resulting from the test.
OWASP penetration testing is a structured process following these phases:
- Planning – This involves defining the scope, rules, schedule, and other parameters and goals.
- Discovery – This involves information gathering that will be used for the attack. Potential targets, vulnerabilities, and exploits are identified. Discovered assets are compared against known vulnerability databases to ease penetration.
- Attack – This involves the exploitation of targets based on discovered information.
- Reporting – This involves the documentation of successful exploits and their corresponding vulnerabilities and assets. Reporting occurs throughout the OWASP penetration testing process.