Web Application Testing

Methodology

We have developed a detailed methodical approach to web application penetration testing to ensure we are effective, efficient, and repeatable. Our methodology goes well beyond looking for the OWASP Top Ten issues.

Discovery

Datassurant uses an optimized suite of security tools consisting of commercial, open source and proprietary software. These tools are critical in correctly analyzing and building a complete understanding of the scope of your web site and how the it's components interact. We also work with you to understand the business impact of various features, so that we can qualify and quantify the business risk of the vulnerabilities we find.

Assessment

We use a common security frame to ensure that all-important areas are tested and to ensure consistency and repeatability.

1. Authentication
2. Authorization
3. User management
4. Session management
5. Data validation, including all common attack such as SQL Injection, Cross Site Scripting, Command Injection, Client Side Validation
6. Error handling and exception management
7. Auditing and logging
   
   

Reporting and deliverables

We produce a detailed, written report with an executive summary prioritizing findings and the impact on your business. Our individual technical findings all contain specific details and recommendations for mitigation.

Scope

We understand that it is sometimes difficult to know what needs to be "in-scope" prior to conducting the actual testing itself. For that reason, we use Datassurant's optimized suite of security tools consisting of commercial, open source and proprietary software. This allows us to browse your web site and produce a visual map and a detailed results file that can greatly assist us in completing your assessment.

We scope the amount of work needed based on the number of dynamic pages and number of authorization levels for users along with other information.

Our scoping questionnaire and SiteScope tool are available on request by emailing support@datassurant.com

1. We can perform testing on-site or remote and can work 24/7.
2. We can test within given change control windows and during quiet periods.
3. Engagements typically range from two weeks to one month.
   
   

Deliverables

Once our consultants have completed the testing, we will deliver:

• A thorough and detailed report of our findings, containing an:
  • Executive Summary of risks and potential solutions in non-technical terms
  • Management Overview with a high-level overview for your mid-level or technical managers
    • Technical Review with a detailed list of vulnerabilities and remediation recommendations for your system administrators.
    • Additional Industry Best Practice or "what to do first" recommendations
    • Half-day engagement closeout briefing with Security Assessment Results Presentation (SARP)

All Datassurant projects are managed using Datassurant's proven HyperSecur Project Management Process. This process ensures continual communication with your organization to ensure the success of all Datassurant consulting engagement.

Network Penetration Testing

Penetration testing is a method of testing that systematically probes your system, exposing weaknesses a hacker might attack. By attempting to breach your security measures, this tactic allows Datassurant to create a remediation plan that allows us to assist your organization in eliminating your vulnerabilities.

Datassurant provides customized penetration testing to help ensure that your organization's security is and remains as strong as possible. By actively evaluating your existing security controls, methods and practices, we will analyze your system for design weaknesses, technical flaws and vulnerabilities. We perform penetrating testing using our proprietary HyperSecur™ system based on Datassurant's industry leading security experience, OSSTM, NIST, OWASP and other recommended, industry best practices.

Our HyperSecur™ testing methodologies are custom built to your security environment to ensure a detailed audit of your systems. The entire security model is divided into manageable sections for testing. Each section is viewed as a collection of test modules, which are then broken up into sets of tasks. By using a systematic approach, we are able to identify not only individual weaknesses at the task level, but the inter-relationships between the tasks and modules. This comprehensive approach exposes vulnerabilities for a comprehensive audit.

Our areas of expertise extend to all major types of testing, which allow us to customize the correct approach for your security testing needs. Datassurant also offers these related services:

1. External Penetration Testing
2. Internal Security Assessment
3. Application Security Assessment
4. Wireless/Remote Access Security Assessment
5. Telephony Security Assessment
6. Social Engineering

Deliverables

Once our consultants have completed the testing, we will deliver:

• A thorough and detailed report of our findings, containing an:
• Executive Summary of risks and potential solutions in non-technical terms
• Management Overview with a high-level overview for your mid-level or technical managers
• Technical Review with a detailed list of vulnerabilities and remediation recommendations for your system administrators.
• A thorough and detailed report of our findings, containing an:
  • Half-day engagement closeout briefing with Security Assessment Results Presentation (SARP)

This allows you to best understand your vulnerabilities and to immediately take action to raise your organizations security posture.