Vigilar’ Web Application Penetration Testing Service

Vigilar’s Web Application Penetration Testing is a “hands-on” test of Web Applications and their controls, using real-world hacking tools, to discover the depth of risk that may be posed by vulnerabilities in Web applications. Web Application Penetration Testing provides a thorough identification of exploitable vulnerabilities in Web applications, a risk level for each vulnerability and recommendations for remediating those vulnerabilities. This test supports compliance initiatives for regulations such as PCI, GLBA or FFIEC that require penetration tests.

Web Application Penetration Testing Overview

1. Discover high-risk Web Application vulnerabilities that expose risks of loss of confidentiality, direct loss of data assets, risks to reputation, compliance risk, or liability exposure.
2. Define remediation options for any vulnerabilities found, including methods of directly remediating, as well as compensating controls.
3. Provide auditable documentation for examiners and auditors as a part of a compliance initiative.
4. Deliver high-level executive reporting useful to management, as well as detailed technical reporting for technical staff.

Vigilar’s Web Application Penetration Testing Process
A penetration test locates logics flaws not typically detected during a vulnerability assessment. When a vulnerability has been identified, the exploitation process is documented, showing the steps a hacker may follow to exploit the vulnerability, including screenshots and examples of data that may have been extracted.

Key tasks include:

Information Leakage Discovery: using common and advanced research tools (such as Google hacking and code comments) to find information that could lead to an attack or otherwise disclose information that should not be public

Privilege Escalation and Data Leakage: performing a “hands-on” walkthrough of the application to detect where users with insufficient permissions are able to access unauthorized areas

Automated Vulnerability Scanning: using commercially available, proprietary and open source tools to identify potential vulnerabilities in the Web application

Ethical Hacking Analysis: reviewing data collected and formulating possible attack vectors, targets, and exploitation methods than can be used to gain privileged access

System Exploitation and Penetration (Vulnerability Validation): validating the discovered vulnerability by attempting to exploit the vulnerability. Vigilar security experts execute the attack plans formulated by the Ethical Hacking Analysis. Vigilar uses combination of tools and techniques to attempt a successful penetration. Upon successful penetration, Vigilar takes sample file, data, or screenshots to prove the vulnerability was successfully exploited. Screenshots depicting the step by step process of exploitation are taken and presented in the report.

Vigilar’s security experts provide the risk level for each vulnerability. Risk level is determined by looking at the probability that the vulnerability could be exploited along what could be compromised by the hacker if the vulnerability was exploited. Remediation recommendations are also provided for each vulnerability, including Vigilar Best Practices on effectively remediating the identified vulnerabilities.

1. Brute Force
2. SQL Injection
3. Cross-Site Scripting (XSS)
4. Client-Side Pricing
5. Parameter Injection
6. Directory Traversal
7. Buffer Overflow

Once the assessment is complete, the client receives a detailed set of deliverables, plus a thorough review of these reports, led by the Vigilar assessment team. These deliverables consist of:

1. Report—focuses on providing customer with the following key objectives:
   • An Executive Summary that summarizes security exposures discovered in the assessment and the potential impact upon the organization
   • A Management Report that details operational issues related to Web application vulnerabilities that were discovered
   • A Technical Report that details the identity and location of vulnerabilities
   • A Solutions Recommendation Report that helps staff begin the process of prioritizing remediation efforts, with strong emphasis on reducing the greatest risks to the enterprise first
   • PCI Compliance Summary describing how this assessment maps to specific sections of PCI in regards to Web Application security
2. Emergency Notification upon discovery of any critical vulnerability
3. Technical Conference Call to review vulnerabilities with support staff and the appropriate changes that should be made to remediate

1. Comprehensive review of Web application components using automated tools as well as hand validation by Vigilar security experts
2. Tiered levels of service for businesses of varying sizes
3. A complete set of reports that address the needs of both senior managers and technical staff
4. Guidance for prioritizing and fixing discovered vulnerabilities

1. Delivers rapid, accurate and non-invasive discovery of the security weaknesses in Web applications
2. Provides comprehensive assessments without requiring the purchase of hardware, software or staff
3. Assigns a risk level to Web application vulnerabilities to help structure and simplify remediation efforts
4. Integrates business and technical concerns associated with Web application vulnerabilities for faster, more productive remediation efforts