You are here

Why perform pentests on your web applications?

White Papers & Publications
24 May 2021


Targets of choice for cyber-attacks, web applications can be a critical component of your business model. Because more and more private and sensitive data are being stored and processed through these applications, it is crucial to ensure they don’t have any security flaws that hackers could exploit.

Automated scans can detect many issues but manual pentesting is the only way to assess your real risks. A human review can identify logical and content flaws that a scan simply can’t.

To avoid a data breach at their customers or for business purposes (security expectations from clients), organisations want to assess the vulnerabilities of the web applications they developed to identify and fix the issues (internally or externally).

Find out quickly where you are vulnerable with a pentest before hackers get the chance to exploit your weaknesses!  

A pentest alone is not a sufficient step to ensure a company’s protection. It is however a core component of a robust cyber security strategy as it is a good first step to reveal any vulnerabilities.

 

What are the top 10 vulnerabilities in web applications?

Our ethical hacking team has highlighted key statistics in an annual report based on penetration testings they performed on web applications for customers in 2020.

  • 100% of applications presented at least one vulnerability and 51,5% had at least one critical issue.
  • Almost half of the vulnerabilities are not discoverable by security scanners alone as they depend on application logic and content.
  • The issues that can’t be detected simply with an automated scan are also some of the easiest ones to exploit.
 

Download our pentest report 

 

What kind of security testings for your application?

To be sure that your mobile or web applications are protected from hackers, and thus your business and customer data, your application security testings must be comprehensive. These must be considered in different cases, early or later in your Secure Software Development Life Cycle (S-SDLC), from the outside in or from the inside out, with or without knowledge of your technologies and resources (‘white-box’ versus ‘black-box’ approach).

  1. Secure Code Review:
    In a ‘white-box’ approach based on Secure Code Review, security vulnerabilities can be detected early in the development lifecycle. This reduces overhead costs and the time it takes developers to remediate security bugs. We perform secure code review through a combination of manual and automated efforts. 
    Automated tools, such as Static Application Security Testing (SAST) tools, can quickly scan the code base to identify areas of interest and potential vulnerabilities. Secure Code Review helps to maintain consistent secure coding across the company at the speed of DevOps. It also delivers awareness and training to the developers.
     
  2. Vulnerability Assessment:
    When your web application or web service runs in production, you need to monitor and protect it against security flaws and threats such as cross-site scripting, SQL injection, command injection, path traversal and insecure server configuration. A Vulnerability Assessment checks if the application is vulnerable to any known vulnerabilities. This repetitive task must be automated with appropriate tools, such as Dynamic Application Security Testing (DAST). The findings and results are analysed by our Application Security specialists for false-positives and a remediation plan.
     
  3. Penetration Test:
    The purpose of a penetration test, also called ‘pen test’ or ‘intrusion test’, is to identify vulnerabilities in your application exploitable by an outside attacker with no knowledge (black-box security testing) of the technologies that the application is built on or of the environment around. In this case, our team of experienced ethical hackers, the ‘White-Hats’, perform exhaustive manual tests utilising the same techniques and resources that a malicious hacker (the ‘Black-Hats’) would use. The White Hats are going to hunt any vulnerabilities left in your application and infrastructure. They will also check on functional errors against the business logic, errors made in the implementation and configuration of the application.
    The penetration testing activity is typically performed just before a major release or a new business-critical application is put into production. For those customers that need their applications to remain always secure on the move, we perform Pen Testing as a Service.
     
  4. Red Teaming:
    It is a full-scope, multi-layered attack simulation designed to measure how well a company’s people and networks, applications and physical security controls can withstand an attack from a real-life adversary.
    A thorough red team test will expose vulnerabilities regarding the technology, the people and the physical environment (breaking into offices, buildings, data centres, etc.).Our team of ethical hackers and security officers can perform Red Teaming attack simulation in diverse corporate environments. We can help you go beyond standard penetration testing and test overall cyber resilience.
 

What are the benefits?

Pentesting is a powerful approach to achieve security using the offensive security mindset with one of the best and fastest return on investment
You will:

  • Detect and fix a maximum of vulnerabilities, in order to make attacks much harder (or impossible), and to simultaneously raise the level of security awareness.
  • Prevent damage to your company’s reputation and customer confidence and avoid business disruptions.
  • Save substantial money that would otherwise be lost in potential data breaches, losses and frauds.
  • Raise the level of security awareness across the organisation and more particularly within your developers’ team.
 

Why partner with Approach?
 

  • Strong red team of 15+ certified ethical hackers following the best methods and standards such as the OSSTMM and OWASP.
  • Proven experience: more than 1000 missions in the past 20 years
  • Trusted partner: strict rules of engagement and in the utmost confidentiality. We are ISO 27001 certified.  
  • Unique joint expertise in cyber security and software development.
  • Holistic approach to cyber security.
 
Share this publication