Security AssessmentsWeb Application Assessment

title bar pixelated squares - Web Application Assessment

Sword & Shield analysts have extensive experience using commercial and proprietary tools, and public domain utilities, to examine the security posture of an application.


GWAPT_Silver-150x150

GIAC Certified Web Application Penetration Tester

Website security is essential to modern organizations. Unlike other IT systems that can be given the full protection of a firewall and IPS, the Web server has to be exposed to the world to fulfill its purpose.

Because it can’t be fully protected the Web application has become the most common route for exploiting security. And because it’s public-facing, there’s no hiding the fact that exploits have happened. Defacements are obvious to the world. When intruders gain access to user data there’s no choice but to admit the compromise. When user data is compromised there are penalties and a loss of trust.

Our Web Application Assessment Approach

“Today over 70% of attacks against a company’s website or web application come at the application layer not the network or system layer.”
— Gartner Group

Web application security encompasses measures taken throughout the application’s life cycle to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, deployment, upgrade, or maintenance of the application.

The assessment objective is to examine the subsystems, components, interactions and security mechanisms of the Web application and identify Web security weaknesses. Sword & Shield analysts have extensive experience using commercial and proprietary tools, and public domain utilities, to examine the security posture of an application. We analyze Web application security from several vantage points: the unauthorized user, the authorized user, and to the extent possible, the administrative and developer users.

Website Penetration Testing for Compliance

pci_ssc_qsa-150pxSome of our customers want a penetration test to satisfy their internal security standards. Others need a penetration test for compliance reasons. For customers seeking regulatory compliance we can provide a penetration test as part of a comprehensive compliance solution for healthcare, PCI, or Experian EI3PA.

  • HIPAA and HITECH Compliance
  • PCI-DSS Compliance
  • Experian EI3PA Compliance
If you have a Website that collects, stores or transmits card data, PCI DSS Requirement 11.3.2 may be applicable. 11.3.2 requires you to perform application-layer penetration testing at least once a year and after any significant application upgrade or modification.

Questions Our Report Will Answer

  • Can a hacker access my internal network and resources via my website?
  • Can I provide management with evidence concerning the current risk associated with Web-based applications?
  • Can I obtain sufficient vulnerability details to facilitate cost-effective risk mitigation?
  • Can I gain sufficient knowledge about my security posture to assist in short and long term strategy and budget planning?

Real Success Stories

Preventing a breach via custom Web Security Testing
While conducting an application assessment for a small insurance company, Sword & Shield analysts discovered a permissions issue within a custom Web application. The application allowed anonymous (non-authenticated) Internet hosts to view detailed information about the company’s clients, including date of birth, social security number, and insurance policy details. The application was not properly tracking sessions and session states, which enabled this security loophole.

Based on Sword & Shield’s findings, the insurance company was able to correct the session and session state issues. Sword & Shield’s Web Security Testing helped the insurance company prevent a security breach via their custom Web application.

Correcting SQL injection vulnerability to protect patient data
When performing an external Web application assessment/penetration test for a hospital, Sword & Shield analysts discovered an error-based SQL injection vulnerability on an insignificant page of the hospital’s main public website. When the SQL injection toolset normally used by the analysts to exploit the vulnerability failed because of character filtering, they modified an existing open-source injection program and created new scripts to overcome the filtering limitations. The vulnerability led to a complete compromise of the underlying, shared internal database, which contained personally identifiable information (PII) on hospital workers, sample credit card information, and login authentication information. Using the authentication information, the analysts were able to create new accounts or log into existing accounts on the hospital’s employee Web pages from the Internet.

The hospital was in the process of implementing an online store and the SQL injection vulnerability could have led to identity and/or information theft via the Internet. Based on Sword & Shield’s Web Security Testing, the hospital modified the offending Web application code to correct the SQL injection vulnerability—thereby preventing a potential security breach.

Security Assessments

Your organization’s reputation is one of its most valuable assets. Sword & Shield’s comprehensive suite of Security Assessments can expose your hidden risks and vulnerabilities and help you develop a plan to reduce your risks and prepare for attacks targeting your valuable data.

Find Out More

Datasheet Download

security-testing-datasheet

Expose Your Hidden Risks and Vulnerabilities

Request a Free Consultation for our Security Assessment services.

Featured Additional Security Assessment Services

Sword & Shield provides a wide variety of security assessment related services for our clients. The following list provides an overview of some of the most common services we perform. For more details about these services or other services we perform, contact us today.

Database Security

Our engineers are experienced in auditing Oracle, Microsoft SQL, Notes, and several other database management system products. Among other things, Sword & Shield security engineers analyze authentication and authorization controls in the database system for least-privilege access controls and audit traceability. Emphasis is placed on matching the degree of security with the business and operational needs.

Firewall Audit

A Sword & Shield Firewall/Router Audit thoroughly evaluates the rule base for known security risks and policy violations. As a first line of defense against attacks, firewalls and routers must be implemented and maintained properly. Our Firewall/Router Audit provides a detailed analysis that reduces risks and increases perimeter security.

Mobile Application Assessment

Our Mobile Application Assessment, when combined with our Web Application Assessment, provides a comprehensive assessment of the security of the web application and the mobile devices used to interact with the application. The service analyzes the network transmissions and forensically analyzes the mobile device(s) used.


Phone Sweep

Sword & Shield performs a sweep of the telephone address space to detect unauthorized modems and authorized but insecure modems. We can perform a phone sweep as a stand-alone service, or as part of another service, such as an external network vulnerability/penetration test.

Security Architecture Review

The Architecture Review and Design process is coordinated through a client project manager and includes a set of structured interviews. These interviews and reviews focus on business areas supported by the network and the technology staff that supports the business units.

Virtual Infrastructure Assessment

This service provides the customer with the analysis necessary to protect all facets of a virtualized infrastructure. Included are areas related to access control, the application of least privilege, data protection, secure network configuration, disaster recovery planning and testing, and threat analysis. The goal of the assessment is to identify security gaps and develop remediation strategies.

VPN Audit

The VPN Audit service audits your VPN and your VPN policies and recommends techniques to optimize and enhance your VPN’s effectiveness. We identify potential security vulnerabilities and help you reduce your risks.

Website Security Consulting

Web application security encompasses measures taken throughout the application’s life cycle to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Wireless Security

Sword & Shield's Wireless Testing examines the subsystems, components and security mechanisms of a wireless network and identifies any weaknesses.