Security testing should be carried out throughout the Software Development Lifecycle to ensure the application is as robust as possible.
Our Consultants will test the application against the OWASP Top Ten vulnerabilities, which includes SQL Injection, Cross-site Scripting, and Unrestricted Access to certain files or directories. If we discover certain known vulnerabilities in a commercial application, the consultant will attempt to exploit the vulnerability, unless the vulnerability is known to cause Denial of Service issues. Once the application has been tested against the OWASP Top 10, we will check for lesser known vulnerabilities which may still affect the application. In addition, we will test for logic and other errors that the OWASP Top 10 would not identify.
Typically, we will test with different levels of credentials; ideally with access to two accounts or more at each level (e.g. unathenticated user, authenticated user and admin user).
Our consultant will attempt to authenticate without credentials, or gain access to functionality that should only be available to authenticated users
With an authenticated account our consultant will try to access or modify the details of other users or gain access to other users data that they should not be able to
As an admin user our consultant will perform application functionality mapping activities and user privilege escalation attacks