Web Application Security Assessment
Since critical business processes and financial transactions are often carried out at the application level, this is of particular interest to attackers. Web applications exposed on the Internet are subject to particular security threats due to their global accessibility. They often have a direct connection to internal systems (e.g. database of the ERP system, etc.) and thus also form a potential gateway into the internal network.
Identification of vulnerabilities in defined web applications and risk assessment for specific threat scenarios
How secure is the web application? What damage can external attackers and malicious users cause in the worst case?
Web applications including their interfaces as well as base and backend systems
In a Web Application Security Assessment (WASA), both the base systems (operating systems, web servers, databases, etc.) and the application itself are analyzed with regard to existing vulnerabilities. The auditor does not only take the perspective of external attackers. The misconduct of privileged and unprivileged users is also considered as part of the assessment. Examples of attack attempts range from carrying out unauthorized actions, through exploiting the base system, to database manipulation using input and query forms.
In general, the assessment is based on the approach of an examination that is as comprehensive as possible. However, depending on the type of application or system and the relevant threats, a risk-based approach is also possible (comparable to a). In this case, the focus is on particularly security-critical or endangered areas, whereby the scope of the test is determined by the time budget agreed upon in advance.
With regard to Web Application Security we comply with the guidelines issued by the internationally accepted Open Web Application Security Project (OWASP).
In general, the following points will be covered by the WASA:
- Assessment of the web application’s base and backend systems (operating system, web server, load balancer etc.)
- Assessment of authentication mechanisms
- Assessment of the implemented session management
- Assessment of used backend interfaces (APIs)
- Examination regarding vulnerabilities with focus on the OWASP Top Ten
- Examination regarding to weaknesses in the application logic
- Extended attacks and exploitation of identified vulnerabilities
- Documentation including risk assessment and description of measures
As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:
- Management summary with a description of the results and the security level
- Description of the project approach, scope, schedule and methodology
- Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
- Detailed description of the iterative exploitation process when using chained vulnerabilities
- Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
- Description of measures to remedy the vulnerabilities
- If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.