An Application Penetration Test ensures that users are only able to perform actions they are intended to, and that the application implements sufficient measures to protect users by limiting an attacker’s ability to abuse a compromised account. This is achieved by identifying any vulnerabilities present in an application that could be used by an authenticated or unauthenticated attacker to:
Secure your digital applications by identifying vulnerabilities that could affect the confidentiality, integrity or availability of systems and data.
What is Application Penetration Testing?
Application Penetration Testing is a key part of the assurance lifecycle for digital systems and assets, to ensure they meet internal and external compliance requirements and limit exposure to cyber risks.
- Gain unauthorized access to information.
- Perform malicious actions within the application.
- Compromise other application users.
- Escalate privileges within the application.
- Compromise the application’s underlying infrastructure.
Application Penetration Testing is suitable for both internal- and external-facing applications (including web and mobile applications). It is designed to identify vulnerabilities that could affect the confidentiality, integrity or availability of systems and the data they process.
Why should you undertake Application Penetration Testing?
Penetration Testing is critical to establishing a robust security baseline for your applications.
Assuring the health of digital systems and applications is vital to business continuity and a core component of effective risk management, to ensure the resilience of the critical business services that your digital systems and technologies underpin.
Regularly testing your digital applications is essential for organisations who are reliant on digital systems and technologies to provide their business services. Particularly organisations whose business strategy relies on the adoption of innovative technologies to drive business performance and success should take care to ensure their digital dependencies are secured.
JUMPSEC recommends that all organisations who are dependent on evolving digital systems and applications incorporate regular testing into their ongoing security assurance programme.
Outcomes a JUMPSEC Application Penetration Test provide?
JUMPSEC application penetration testing will allow you to:
- Translate complex technical risks into business terms that demonstrate the value of cyber security investment in terms of business risk reduction
- Enable the timely identification and remediation of vulnerabilities which could be exploited by an attacker to cause harm to your business.
- Build resilience against realistic attacker techniques by simulating the ways that a real-world attacker will target the application.
- Increase confidence in the security posture of your digital assets to build the trust of your internal stakeholders and external authorities, customers, and partners alike.
- Satisfy a range of compliance requirements with a comprehensive report detailing vulnerabilities identified and recommended remedial actions prioritised by risk.
Frequently Asked Questions
What types of vulnerability can be identified?
Testing includes investigation of a range of common vulnerability types as well as analysing the supporting infrastructure of the application, to determine which areas are most likely to be targeted by an attacker based on the context. This can include, for example:
- Access Control
- Business Logic
- Cross-Site Scripting (XSS)
- Data Protection
- Data Validation
- File and Resources
- Insecure Deserialization
- Insufficient Logging & Monitoring
- Secure Communications
- Security Misconfiguration
- Sensitive Data Exposure
- Session Management
- Supporting Infrastructure
- Using Components with Known Vulnerabilities
- XML External Entities (XXE)
What industry standards do JUMPSEC Application Penetration Tests adhere to?
JUMPSEC Application Penetration Tests are informed by a range of industry standards such as the OWASP Application & Mobile Application Security Verification Standards (ASVS & MASVS), the OWASP Web & API Top 10, the Open-Source Security Testing Methodology (OSSTMM), and the Penetration Testing Execution Standard (PTES).
What types of testing can be delivered?
JUMPSEC can deliver testing from an authenticated and unauthenticated perspective to represent attackers with different levels of access and privilege and simulate a range of threats (e.g. internal, external). JUMPSEC can deliver black, white, and grey box assessments in order to satisfy a range of client requirements.
- Black box – testing resembling a real-world attacker with no prior information about the systems in-scope.
- Grey box – testing is informed by some information about the application such as architectural diagrams, documentation, and credentials to enable a more comprehensive assessment to take place, with less time spent gathering information about how the application functions.
- White box – testing is performed in full visibility of the client with comprehensive information such as source code, architecture, data workflow, etc. This approach involves a thorough examination of the application to identify deeper security issues from both the design and implementation perspectives.
Where possible JUMPSEC recommends a grey box approach to enhance the value of testing, as this is typically conducive to increased depth and breadth of findings, providing increased value in terms of potential remediations, and overall uplift in security posture.
Do you deliver Application Penetration Testing to meet specific compliance requirements?
Testing can be performed to meet a range of compliance requirements, including PCI DSS and IT Health Check.
How much does an Application Penetration Test cost?
The cost of a web application penetration test is determined by the number of days it takes to fulfil the agreed scope of the engagement. To receive a quotation, your organisation will need to complete a pre-evaluation questionnaire. JUMPSEC experts are available to guide you through this process.
What information is needed to scope a Web Application Penetration Test?
The following information, at minimum, is required to scope a web application security test:
- The number and types of web applications to be tested
- The number of static and dynamic pages
- The number of input fields
- Whether the test will be authenticated or unauthenticated (where login credentials are unknown/known).
How long does it take to perform an Application Penetration Test?
The time it takes a consultant to complete a web application penetration test depends on the scope of the test. Factors influencing the duration include: the number and type of web apps assessed, the number of static or dynamic pages, and the number of input fields.
What happens at the end of a test?
After each web application security test, JUMPSEC’s application testing consultants will produce a written report, detailing any weaknesses identified, associated risk levels, and recommended remedial actions. In addition to specific remediations JUMPSEC will, where possible, provide broader guidance to help clients to address root-cause security issues that may be present in other applications.
What types of Application Penetration Test can you deliver?
JUMPSEC can deliver all types of application penetration testing and related assessments, including:
- Internal Application Penetration Testing
- External Application Penetration Testing
- Web Application Penetration Testing
- Mobile Application Penetration Testing
- Cloud-hosted Application Penetration Testing
- Web Application Firewall Penetration Testing
- API Penetration Testing
- Thick Client Penetration Testing
- Hardware Penetration Testing
- Embedded Systems Penetration Testing
- Source Code Review
- Secure Coding Training
- Secure Development Life Cycle (SDLC) Consultancy
- Rogue Client Assessment