Web Application Security Testing
The client is an application service provider of enterprise GST and e-Invoicing Software. The Customer’s client base comprises major players across various industries, such as financial services, healthcare, manufacturing, technology and telecom.
Acting as an intermediary between clients and government for GST and e-invoicing application service provider, the Customer operates a vast amount of clients’ confidential data. This sensitive data needs solid security protection from being stolen or tempered. Any data security breach may lead to client’s financial loss and damage the Brand Reputation in the market. To maintain the reputation of a trustworthy service industry with a strong security posture, the Customer chose ANA Cyber Forensic to perform web application security testing by our experienced information security experts.
Web application security testing was conducted according to the Black Box offender model, where our information security experts had limited access to Customer’s application (a user account). ANA Cyber Forensic web application security testing methodology was based on OWASP TOP 10 threat classification.
We screened for all the vulnerabilities from OWASP’s security risks check list, and payed special attention to those which are potentially severe for the Customer.
These are Broken Authentication, Broken Access Control, Security Misconfiguration and the Use of Components with Known Vulnerabilities.
Our web application penetration testing methodology is as follows:
- Reconnaissance – Searching the Internet for the customer’s public-facing presence and information using OSINT.
- Network Surveying and Services Identification – Sketching a picture of what the customer’s perimeter looks like to the outside world.
- Manual Environmental Testing – Analysing gathered data to build and execute an attack plan.
- Password Cracking – Attempting to crack any password hashes or brute force of any authenticated mechanisms.
- Manual Application Testing - OWASP Testing Methodology including Access Control / Authorization, Authentication, Session Management, Configuration Management / Web Application Architecture Review, Error Handling, Data Protection, Input Validation.
- Root Cause Analysis and Reporting – Identifying the root causes of the issues to be classified and compiled into a final deliverable.
The combination of automation for a detailed network scanning and manual techniques for vulnerability exploitation allowed our Information Security Experts to conduct a thorough check for security weaknesses in the Customer’s network.
This was followed by a report which provided a comprehensive view on the system’s security state, specifying the security risks of primary importance for the Customer and relevant corrective measures.
- Became assured that web applications and APIs are secured.
- Expected actionable recommendations to enhance security.
- Reduced web application related risk and improved operational efficiency.
- Maintained customer, employee and business partner confidence.