The explosion of web and mobile applications presents an entirely new set of security challenges. While most of the tools and practices of traditional web and desktop applications are equally applicable to mobile, there are some unique concerns to keep in mind, including lost or stolen devices, mobile malware, targeted attacks on devices, and more.
A vulnerability assessment usually includes a mapping of the network and systems connected to it, an identification of the services and versions of services running and the creation of a catalogue of the vulnerable systems. A vulnerability assessment normally forms the first part of a penetration test. The additional step in a penetration test is the exploitation of any detected vulnerabilities, to confirm their existence, and to determine the damage that might result due to the vulnerability being exploited and the resulting impact on the organisation.
During this phase, we will utilize best on a market methodology created by Open Web Application Security Project (OWASP) and test cases from OWASP Application Security Verification Standard Project. Web and Mobile Application Penetration Testing efforts will be based on the following guidelines and security standards:
Authentication: we will evaluate the adequacy of the application’s authentication control mechanism as it processes the identity of individuals or entities.
Input Manipulation: we will evaluate the adequacy of the application’s input controls as the application processes inputs received from different interfaces and\or entry points.
Information Leakage: we will determine the type of information that is transferred back to the user or stored in the client’s machine.
Session Management: we will evaluate the adequacy of the application’s session management control mechanism as it traces the activities performed by authenticated application users.
Output Manipulation: we will determine if it is possible to get information from the temporary Internet files, cookies, and other application objects.
Other Tests: we will assess the application based on other attacks, tampering methods, and manipulations commonly used by hackers.
Application testing includes checks for the presence of the most critical vulnerabilities including the OWASP Top 10 vulnerabilities, such as:
Network layer testing includes checks for the presence of the most critical vulnerabilities, such as: