- Automated Vulnerability Scanning: Automated Vulnerability Scanning of the
application to identify obvious and common security holes – (Production replica/Test
Environment)
- Application Penetration testing: Tests will be performed with the intention to identify
the possible internal and external abuse of the application’s sensitive information
(Test Environment/Production replica
Approach:
A high-level approach for conducting Security testing of the Application
- Information Gathering: In this phase, the test team will make an effort to understand the
target system to gather the data required for overall Security testing - Vulnerability Assessment: The objective of the phase is to uncover all the possible
vulnerabilities in the Web Server and Application under test. - Penetration Testing: In this phase, the target system is subjected to attack and exploited
manually with the information gathered in the previous phases of testing in order to
confirm the identified vulnerabilities - Security Test Reporting: A security test report is produced with all the identified
vulnerabilities for their implications and possible counter measures
Methodology:
OWASP Methodology for testing and focuses on following potential vulnerabilities:
- Business logic bypass
- SQL / XSS / HTML Injection
- Session Management
- CSRF vulnerability
- Sensitive data exposure
- Insecure direct object references
- Missing function level access
- Privilege escalations
- Encryptions