Application Penetration Test

Share this page:

Application Penetration Test Information

Application Penetration Testing is an application analysis performed by an experienced analyst, usually using a combination of open-source and commercial utilities for performing task-specific functions and hands-on analysis to attempt to exploit application-level vulnerabilities to business impact.

Key activities include:

Hands-on testing by an experienced security analyst with the objective of determining if application vulnerabilities (generally discovered via Vulnerability Assessments) can be exploited to malicious end;
Alignment of testing with OWASP to provide management with assurance that the most common application exploitation mechanism (i.e. Injection Flaws, Insecure Direct Object Reference, Broken Authentication & Session Management) have been mitigated to an acceptable level; and
Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries

The predominant benefits realized by an Application Penetration Test are:

Provides a measure of the probability that a vulnerability can be exploited and the impact that it may have to the organization;
Can identify flaws in business logic that Vulnerability Assessments are usually incapable of finding; and
Can identify where a series of minor vulnerabilities can be sequentially leveraged to malicious means.

Application Penetration Tests are best used:

As the least expensive means to provide attestation to the net security posture of an application;
As part of a broader “certification and accreditation” exercise to provide a higher level of assurance for critical applications; and
As an information-gathering mechanism to focus code scanning/reviews.

Application Penetration Test Options

Dependent upon client objectives and request for attestation we may employ various Application Penetration Testing techniques aligned with said objectives.

The Investigative Attacker doesn’t have a lot of time, and doesn’t have a lot of tools, and may not even be targeting you specifically. He may stumble upon your external IP during a sweep and will pay you little mind unless you have an obvious security problem. Attackers that get in through a blank or default password on an administrative account are Investigative Attackers.

The Intentioned Attacker has more time, and a few more tools than the Investigative attacker. More importantly, she has intent. She wants to find a weakness in your network specifically. Attackers that get in by exploiting an unpatched vulnerability in an operating system or network service are Intentioned Attackers.

The Tenacious Attacker has time, tools, intent, and determination. He is willing to go the extra mile to make it past your defenses. He may even attempt social engineering to find a way beyond your perimeter defenses. He will do it quietly, though, and take care to go unnoticed. Attackers who convince your help desk to reset an account password for them are Tenacious Attackers.

Why Partner with Pivot Point Security?

Continually evolving technology, business requirements, regulations, and threats make “being secure” and “proving you’re compliant” increasingly complex. The only logical response: Simplify. We make it easier to prove that you are secure and compliant by:

Focusing on the core group of security assessment services you need to do so;
Taking the time to understand your business and then optimizing our approach for your unique situation;
Delivering reports and guidance that are easily understood and acted on by both management and technical personnel; and,
Basing your assessment and recommendations on trusted, “open” (non-proprietary, non-vendor specific) guidance to simplify the process of operating and maintaining your Information Security Management System after we leave.

Pivot Point Security has the right combination of Information Security / Compliance domain expertise, technology industry knowledge & experience, and organizational character to simplify the process of defining and executing on the best course of action so you can know you’re secure and prove you’re compliant.

Pivot Point Security is a great choice for your Information Security demand.

Application Penetration Test Downloadable Resources

Application Penetration Test Articles

Learn How We Can Help You

ISO 27001 Roadmap

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.

Database Security Roadmap

Database Security is one step in a comprehensive approach to building a robust Information Security Management System.

Penetration Testing

Penetration Tests are often used in a manner that is inconsistent with achieving the assurance that the organization seeks.

SIEM Whitepaper

Best Practices for SIEM learned from working closely with numerous vendors and customers on a wide variety of SIEM projects.