Web Security Testing

A Web Security Test finds vulnerabilities that may be exploited to gain access to your internal data and network via your Web-based application. No matter where you are in the development lifecycle or whether your application is “off the shelf,” custom designed, or provided as an outsourced service, Sword & Shield can identify security flaws in application design, development, deployment, upgrades and maintenance.

Now that many government and industry regulations mandate periodic web security testing, you need a knowledgeable testing partner. Sword & Shield can identify web security weaknesses and provide detailed recommendations to reduce risk.

Our Web Security Testing Methodology

Our objective is to examine the subsystems, components, interactions and security mechanisms of the web application and identify web security weaknesses. Sword & Shield analysts have extensive experience and use commercial and proprietary tools, and public domain utilities to examine the security posture of an application. We analyze web application security from several vantage points: the unauthorized user, the authorized user, and to the extent possible, the administrative and developer users. Sword & Shield’s Web Security Testing approach consists of eight key stages:

1. Security Architecture Review
2. Vulnerability Analysis Test Plan
3. Network Mapping and Data Collection
4. Threat Model Identification
5. Vulnerability Identification (includes OWASP Top 10 security vulnerabilities)
6. Penetration Testing
7. Analysis and Reporting
8. Vulnerability Reporting Tool (VuReTo) – our proprietary tool for consolidating vulnerability descriptions from different scanning devices

Sword & Shield can perform Web Application Testing remotely with no travel costs, or on site, depending on the test plan most suitable to the client.

Questions Our Report Will Answer

• Can a hacker access my internal network and resources via my Web site?
• Can I provide management with evidence concerning the current risk associated with Web-based applications?
• Can I obtain sufficient vulnerability details to facilitate cost-effective risk mitigation?
• Can I gain sufficient knowledge about my security posture to assist in short and long term strategy and budget planning?

Real Success Stories

Preventing a breach via custom Web Security Testing

While conducting an application assessment for a small insurance company, Sword & Shield analysts discovered a permissions issue within a custom Web application. The application allowed anonymous (non-authenticated) Internet hosts to view detailed information about the company’s clients, including date of birth, social security number, and insurance policy details. The application was not properly tracking sessions and session states, which enabled this security loophole.

Based on Sword & Shield’s findings, the insurance company was able to correct the session and session state issues. Sword & Shield’s Web Security Testing helped the insurance company prevent a security breach via their custom Web application.

Correcting SQL injection vulnerability to protect patient data

When performing an external Web application assessment/penetration test for a hospital, Sword & Shield analysts discovered an error-based SQL injection vulnerability on an insignificant page of the hospital’s main public Web site. When the SQL injection toolset normally used by the analysts to exploit the vulnerability failed because of character filtering, they modified an existing open-source injection program and created new scripts to overcome the filtering limitations. The vulnerability led to a complete compromise of the underlying, shared internal database, which contained personally identifiable information (PII) on hospital workers, sample credit card information, and login authentication information. Using the authentication information, the analysts were able to create new accounts or log into existing accounts on the hospital’s employee Web pages from the Internet.

The hospital was in the process of implementing an online store and the SQL injection vulnerability could have led to identity and/or information theft via the Internet. Based on Sword & Shield’s Web Security Testing, the hospital modified the offending Web application code to correct the SQL injection vulnerability—thereby preventing a potential security breach.

Talk With a Testing Analyst

Sword & Shield has been outsmarting cyber-criminals and improving security for enterprises around the world since 1997. To learn more about our Web Security Testing service and our other areas of expertise, please fill out our Request Consultation form or contact us by phone today.

U.S. Toll-free: 800-810-1885

International: 865-244-3500