Application Penetration Testing
We offer application penetration testing services for any application type, language or environment.
All of our application penetration testing follows the industry standard methods and adheres to the OWASP top ten methodology for application vulnerabilities and weaknesses.
Application penetration testing (also known as a pentest or pentesting) is an authorised security test on an application to identify vulnerabilities that may be present and could be exploited. Testing can be conducted via the Internet (if the application is externally facing) to identify any external facing vulnerabilities, or from inside the company for an internal application or if the application is not open to the Internet.
Vulnerabilities within applications could expose sensitive data to unauthorised users, or be used to further compromise systems within the organisation.
An application penetration test gives assurance of the applications security. It tests the application manually for weaknesses in access controls, user permissions and separation, input injection, file upload/download functionality, authorisation and authentication. It can identify weaknesses that may allow an unauthorised user to use the application in a non-intended manner and provide access to information they are not authorised to view.
The vulnerabilities identified are reported back to the system owner along with mitigation recommendations.
Penetration testing can also be used to test an organisation's compliance with security policies, the security awareness of its staff and how effectively it can respond to security threats.
An application penetration test can provide assurance that the application security controls tested have been developed and configured in line with security best practice and that there are no common or publicly known vulnerabilities in the application at the time of the test. If vulnerabilities are found these can be rectified before an attack or security breach occurs.
Application penetration testing will enable you to:
- Manage vulnerabilities
- Identify any code development or deployment issues
- Avoid extra cost and reputation damage from a security breach
- Provide evidence of compliance with regulatory and certification standards
- Provide assurance to customers and suppliers that their data is secure
We are able to conduct penetration testing on all types of application, examples of the most common are listed below:
- Website application testing (Thin Client apps)
- Microsoft SharePoint testing and reviews
- CMS (Content Management Systems) testing
- CRM (Customer Relationship Management) testing
- Online shopping e-commerce sites
- Commercial or bespoke applications
- Thick Client application testing
- JAVA based applications
- Mobile application testing and reverse engineering for Android and Apple iOS applications
- Application traffic sniffing, to ensure the transmission of data is encrypted end to end
- Application code reviews in all major languages
- Application single sign on or authentication testing
Armadillo Sec are a CREST certified testing body and we are accredited to operate as a CHECK service provider. All of our testers are certified by CREST and our senior consultants are certified by CREST to the highest CCT Level. Our testers are also CHECK Team Leaders (CTL’s) or CHECK Team Members (CTM’s) and are approved to conduct government CHECK testing.
Our team have many years experience conducting a broad range of government and commercial tests and always aim to go the extra mile for our customers.
Frequently Asked Questions
This tests the functionality that is possible without being logged in to the application as an authorised user. If the application is Internet facing, this simulates what a non-authorised user who accesses the application could do. If the application has self-registration or contains form submissions, it is recommended that authenticated testing of the back end is also conducted, as it may be possible for malicious code to be injected that could exploit an authorised user.
This tests the functionality possible while using login credentials. If different user role levels exist, permission separation can be assessed to ensure low privileged users are not able to access functions for higher privileged users such as editors or administrators. This also provides assurance that one client of an application can not access other clients information.
Authenticated testing often allows more features within the application to be tested and therefore provides a much more thorough assessment of the application for vulnerabilities.
All our testers are certified by CREST and our senior consultants are certified by CREST to the highest CCT level.
|CREST Certifications||Certified Testers|
|Practitioner Security Analysts||Yes|
|Registered Penetration Testers||Yes|
|Certified Web Application Testers||Yes|
|Certified Infrastructure Testers||Yes|
|Certified Simulated Attack Specialist||Yes|
|Certified Simulated Attack Manager||Yes|
Our CREST member status can be viewed, along with the certified tester types we have on the below link:
Our testers are also CHECK Team Leaders (CTL's) or CHECK Team Members (CTM's) and are approved to conduct government CHECK testing.
|CHECK Status||Certified Testers|
|CHECK Team Member (CTM)||Yes|
|CHECK Team Leader (CTL) - Infrastructure||Yes|
|CHECK Team Leader (CTL) - Applications||Yes|
Our CHECK status can be viewed on the below link:
It is recommended that application penetration testing is conducted annually as cyber threats are constantly evolving.
If major changes are made to the application, such as new versions or features, then it is recommended that additional testing is conducted before the code is pushed to the live environment. This ensures that any recent changes are not introducing new vulnerabilities into the environment.
Some certifications such as ISO 27001 or PCI DSS, require a certain frequency of testing to remain compliant.
Penetration testing is bespoke depending on the goal or outcome you wish to achieve, therefore there is not an off-the-shelf price for a penetration test.
As application sizes and functionality can vary significantly, for each project we will technically scope your requirements and establish the time needed to complete the work. We will then provide a detailed proposal and breakdown of costs and options.
We supply a full penetration testing report, which covers the following:
- Executive management summary - Non technical overview of issues for management board level
- Detailed technical findings - A complete list of all issues identified
- Affected pages - A list of all areas/pages/URLs affected, including any associated parameters
- Risk level - Impact, likelihood and overall risk ratings are listed for each issue
- Examples - Output or screenshots to demonstrate the issue
- Recommendations - Recommendations of how to remediate the issues, including any reference to documents that can assist
A sample report can be supplied upon request.
We have a full methodology for all testing services we provide, which is supplied with each project proposal. This outlines the testing steps and all the requirements in order to deliver the test.
All of our application testing methodology aligns to the OWASP top 10 standard, which is the industry standard for application security.