See also Mobile Application Assessment.
Website security is essential to modern organizations. Unlike other IT systems that can be given the full protection of a firewall and IPS, the Web server has to be exposed to the world to fulfill its purpose.
Because it can’t be fully protected the Web application has become the most common route for exploiting security. And because it’s public-facing, there’s no hiding the fact that exploits have happened. Defacements are obvious to the world. When intruders gain access to user data there’s no choice but to admit the compromise. When user data is compromised there are penalties and a loss of trust.
Our Web Application Assessment Approach
“Today over 70% of attacks against a company’s website or web application come at the application layer not the network or system layer.”
— Gartner Group
Web application security encompasses measures taken throughout the application’s life cycle to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, deployment, upgrade, or maintenance of the application.
The assessment objective is to examine the subsystems, components, interactions and security mechanisms of the Web application and identify Web security weaknesses. Sword & Shield analysts have extensive experience using commercial and proprietary tools, and public domain utilities, to examine the security posture of an application. We analyze Web application security from several vantage points: the unauthorized user, the authorized user, and to the extent possible, the administrative and developer users.
Website Penetration Testing for Compliance
Some of our customers want a penetration test to satisfy their internal security standards. Others need a penetration test for compliance reasons. For customers seeking regulatory compliance we can provide a penetration test as part of a comprehensive compliance solution for healthcare, PCI, or Experian EI3PA.
|If you have a Website that collects, stores or transmits card data, PCI DSS Requirement 11.3.2 may be applicable. 11.3.2 requires you to perform application-layer penetration testing at least once a year and after any significant application upgrade or modification.|
Questions Our Report Will Answer
- Can a hacker access my internal network and resources via my website?
- Can I provide management with evidence concerning the current risk associated with Web-based applications?
- Can I obtain sufficient vulnerability details to facilitate cost-effective risk mitigation?
- Can I gain sufficient knowledge about my security posture to assist in short and long term strategy and budget planning?
Real Success Stories
Preventing a breach via custom Web Security Testing
While conducting an application assessment for a small insurance company, Sword & Shield analysts discovered a permissions issue within a custom Web application. The application allowed anonymous (non-authenticated) Internet hosts to view detailed information about the company’s clients, including date of birth, social security number, and insurance policy details. The application was not properly tracking sessions and session states, which enabled this security loophole.
Based on Sword & Shield’s findings, the insurance company was able to correct the session and session state issues. Sword & Shield’s Web Security Testing helped the insurance company prevent a security breach via their custom Web application.
Correcting SQL injection vulnerability to protect patient data
When performing an external Web application assessment/penetration test for a hospital, Sword & Shield analysts discovered an error-based SQL injection vulnerability on an insignificant page of the hospital’s main public website. When the SQL injection toolset normally used by the analysts to exploit the vulnerability failed because of character filtering, they modified an existing open-source injection program and created new scripts to overcome the filtering limitations. The vulnerability led to a complete compromise of the underlying, shared internal database, which contained personally identifiable information (PII) on hospital workers, sample credit card information, and login authentication information. Using the authentication information, the analysts were able to create new accounts or log into existing accounts on the hospital’s employee Web pages from the Internet.
The hospital was in the process of implementing an online store and the SQL injection vulnerability could have led to identity and/or information theft via the Internet. Based on Sword & Shield’s Web Security Testing, the hospital modified the offending Web application code to correct the SQL injection vulnerability—thereby preventing a potential security breach.
Find Out More
Sword & Shield has been outsmarting cyber-criminals and improving security for enterprises around the world since 1997. Fill out our Consultation Request form or call us so we can begin securing your future.
U.S. Toll-free: 800-810-1885