Deiva Tech web application testing methodology is consistent with the testing methodology for infrastructure based IT penetration tests. In addition, there are further elements conducted as part of the mapping, service identification, vulnerability assessment and exploitation phases.
Deiva Tech uses a blended approach of Open Source (OS), custom scripts and commercial tools to conduct web application testing. All of our testing is inline with OWASP v4 (2014) recommendations and covers the OWASP Top 10 as a minimum.
As part of a web application test, Deiva Tech will assess the following elements:
The OWASP top 10 is a list of the most common types of security issues that impact web applications. It is referenced by security standards PCI DSS . All of Deiva Tech web application and penetration testing engagements cover the OWASP top 10 and are consistent with their v4 (2014) testing guide. In addition, Deiva Tech goes deeper to assess the fundamental application logic, whilst also assessing the access controls that deliver security roles and user partitioning.
Deiva Tech also pulls in information from external sources such as Facebook, LinkedIn and Twitter, to provide social engineering and authentication based attacks vectors. Combining these approaches together provides customers with a much more holistic approach to web application security testing.
The OWASP top 10 is a strong starting point for web application testing, but organisations should really look to go beyond this. The underlying application logic needs to be tested. Websites need to be assessed with different classes of users, to ensure that appropriate partitioning and access controls exist. Content Management Systems (CMS) and administrative functions should be assessed and a series of broader controls should be reviewed and tested.