Penetration Testing

We will analyse your web applications, mobile apps and web servers for vulnerabilities using penetration tests (simulated hacker attacks). We will then provide you with extensive, comprehensible reports including basic decision-making guidelines for personnel responsible for the functional application design, as well as specific instructions for developers.

Penetration Testing

Comprehensive

The analysis covers all 5 levels in the classification diagram for the organisation of security in web applications published by the German Federal Office for Security in Information Technology (BSI) and adheres to the recommendations of the Open Web Application Security Project (OWASP).

Penetration Testing

Reliable

The wealth of experience concentrated in our knowledge pool coupled with the outstanding expertise of our testers is your guarantee for a high level of reliability in the search for vulnerabilities.

Penetration Testing

Efficient

We achieve a high level of efficiency and can thus offer our services cost-effectively, thanks to our wealth of experience and use of high-performance tools.

 

Initial test

We use the initial test to specifically examine the test software for vulnerabilities, which

  • are widespread and
  • conceal a high level of potential risks.

The initial test is the most suitable approach if a web application or website is undergoing a test for the first time. It provides broad-based and far-reaching identification of security problems – based on an optimised cost and benefit test budget – and enables the client to evaluate the security status.

Complete test

The complete test is used if the vulnerability is linked to ensuring maximum security. In this process, the web application or website undergoes comprehensive and thorough testing. Using a checklist based on our experience, the protection needs and the scope of testing can be determined, and a test budget, optimised in terms of cost/benefits, can be provided.

Example: More intensive and in-depth testing will be performed on a sensitive application, such as an industry portal that works with data and processes critical for competition, than with a less critical application, such as a discussion forum.

Low-budget approach

We offer an extremely affordable approach for specific cases – based on the individual web application – for example when a large number of similar web applications are to be tested at the same time.

Standards and Best Practices

We adhere to existing standards and best practices in our analysis:


  • OWASP ASVS (Application Security Verification Standard)

  • OWASP Testing Guide

  • OWASP Top 10

  • OWASP Development Guide

  • Web Application Security Consortium (WASC) Threat Classification

  • PCI Data Security Standard (PCI-DSS)

  • BSI Guidelines “Durchführungskonzept für Penetrationstests” and “Maßnahmenkatalog und Best Practices zur Sicherheit von Webanwendungen”

Scope

Vulnerabilities caused by implementation and configuration errors (levels 1 and 3) are only one part of the problem. Incorrectly executed business logic can often conceal a wide gateway for attackers. We therefore consider the logical and semantic levels as well as the correct use of available security techniques (levels 2, 4 and 5). Our tests consider integrated application security!

Semantics

Security from deception and fraud:

For example:
  • Information enables social engineering attacks
  • Use of pop-ups, among other features, make phishing attacks easier
  • No safeguarding in the event of the website being faked
Logic

Safeguarding of processes and workflows as a whole

For example:
  • Use of insecure email in an otherwise secure workflow
  • Vulnerability of a password through a sloppily designed “I forgot my password” function
  • The use of more secure passwords is not enforced
Implementation

Avoidance of programming errors that lead to vulnerabilities

For example:
  • Cross-site scripting
  • SQL injection
  • Session riding
Technology
Correct choice and secure use of technology
For example:
  • Unencrypted transmission of sensitive data
  • Authentication methods not commensurate with the protection needs
  • Inadequate randomness of tokens
System

Securing of the software used on the system platform

For example:
  • Errors in the configuration of the web server
  • “Known vulnerabilities” in the software products used
  • A lack of access control in the database
Network & Host
Responsibility for securing the host and network no longer lies with web application security. However, it is essential to consider dependencies with the overlying levels.
 

Results Report

We provide you with a comprehensive report, which presents the test cases and problems identified in an easily comprehensible manner and delivers information on the potential risks and threats. We also provide detailed information about eliminating them.

 

Rating Process

The tests conducted were each rated with a risk potential (severity of the vulnerability) and probability of occurrence (probability of the vulnerability being found and exploited). We rate potential risks with an easily understandable traffic light rating of high, medium and low. The probability of occurrence indicates how easy it is for an attacker to discover and exploit the vulnerability.
icon_value+
Little knowledge needed, easy to find and easy to
exploit
icon_value_zero
Good knowledge needed, can only be found with some effort and only exploited with some effort
icon_value-
Extensive knowledge needed, difficult to find and difficult to exploit

Structure of the Test Results

Each vulnerability or attack technique has its own sub-chapter. The following is listed in each case:

  • Explanation: The vulnerability or attack technique is clearly explained, and reference is made to further sources of information (e.g. links).
  • Attack scenario / Threat: If necessary, we describe here possible scenarios for exploiting the vulnerability identified to offer the reader the possibility of evaluating the risk. We base this on a “worst case” approach, i.e. we define the more threatening scenario in case of doubt. This definition is independent of the probability of occurrence.
  • Test cases and examples: The tests conducted are described in detail and documented with screenshots so that it is simple for the client to understand them and assess the potential risk themselves.
  • Measures: Where possible, we provide general measures and best practices for solving the problems identified.

See also:

Static code analysis can be a supplement or alternative to penetration testing:

Additional information:

The Big Application Security Penetration Testing FAQ for Clients provides answers to many important questions concerning the commissioning of penetration tests.

Penetration Testing

Your Contact:

Thomas Schönrich

Contact us via email.
Or call us or use our special contact form.