Cyberstone will evaluate the implementation of security controls for web applications by simulating real-world attacks.
The exploitation phase of web application penetration testing differs from internal/external penetration testing. Cyberstone will specifically attempt the following methods of exploitation: SQL injection, cross-site scripting, user context switching, directory traversal, and cookie handling.
Cyberstone uses the Open Web Application Security Project (OWASP) Top Ten framework as a guide to all of our web application penetration tests. OWASP is an open community meaning it receives input from small and large organizations in just about every vertical market. The community’s goal is to help organizations develop and maintain web applications that can be trusted. The current Top Ten vulnerabilities facing web applications are:
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
Because Cyberstone cares about keeping your customers safe, we’ll work with them to ensure that a risk mitigation plan is in place prior to any testing efforts.
OUR STRUCTURED APPROACH FOLLOWS THE STEPS BELOW:
PLANNING
DISCOVERY
ATTACK
REPORTING
Cyberstone’s web application penetration testing service will help you customers comply with the following regulations:
- PCI Requirement 11.3.1
- New York State Department of Financial Services 23 NYCRR
- 500 §500.05(a)(1)
- Gramm-Leach-Bliley Act §501(b)
- Federal Trade Commission 16 CFR Part 314