Web Application
Penetration Testing
Mitigate Successful Attacks with Versprite’s
Integrated Application Penetration Testing & Threat Modeling Process
VerSprite’s Risk-Based PASTA Threat Modeling Process
The foundation of VerSprite’s pen testing methodology is to emulate realistic attacks by a malicious actor using PASTA Threat Modeling (Process for Attack Simulation and Threat Analysis). Our risk-centric threat modeling methodology consists of 7 stages for simulating attacks and analyzing threats to the organization and application. This allows our security analysts to minimize real-world risks and associated business impact.
VerSprite’s Approach to Web Application Security Starts with Web Application Penetration Testing & Identifying Exposed APIs
Every VerSprite penetration test exercise begins by developing a deeper understanding of the client’s organization, which allows our security analysts to design realistic threat models that reveal an attacker’s motivation and possible targets. Then, our team of pen testers identify likely attacks that can cross technologies, people, and processes to assess the strength of the countermeasures necessary to resist attacks. This process ensures the list of vulnerability remediations is made based on business impact and realistic attack vectors.
VerSprite performs an dynamic analysis and static analysis of web applications and exposed APIs that support vital client information to validate an organization’s security posture. VerSprite’s application security experts conduct manual security testing of web presence to identify application flaws around authentication, vulnerabilities from web frameworks, injection mitigation, malicious file uploads, and other types of web-based attacks.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
VerSprite Conducts 3 Types of Application Security Testing
Dynamic Application
Security Testing (DAST)
VerSprite’s web app security team combines automation with niche, manual dynamic analysis. We perform extensive dynamic analysis of applications and exposed APIs that support vital client information to validate their security posture.
Static Application
Security Testing (SAST)
Static analysis focuses on the use cases that are most impactful to an application and to the business. VerSprite’s SAST approach also allows for considerations of architectural controls and other enterprise countermeasures.
Manual Application
Penetration Testing
Real people understand attackers’ motivations better then automated tools. VerSprite conducts manual exploitation testing against web APIs in an organization’s QA environment that support use cases for the application.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Web Application Pen Testing Substantiates Identified Vulnerabilities, Threats, and Attack Patterns
Web application penetration tests are intended to substantiate identified vulnerabilities, threats, and attack patterns to illustrate the viability of attack patterns and their probability for successful breaches to product groups and software engineering teams.
Each VerSprite web security assessment reviews the overall application and interfaces, which include the following:
-
Target Evaluation
– VerSprite’s BlackOps pen testers evaluate and analyze the application for known and unknown security vulnerabilities from the perspective of an anonymous user and a credentialed user.
-
Review & Execute on Application Threat Model
– VerSprite conducts a detailed analysis for technologies, functionality, and data entry points to identify areas in the API that could be potentially flawed and pose a higher level of impact. Our AppSec reviews the overall application architecture and evaluates data flows and trust boundaries for the APIs in scope.
-
Threat Based Testing
– For each such use case, such as anonymous and credentialed users, VerSprite applies a threat model to substantiate the most probable attack patterns and scenarios that the API and associated methods will face.
-
Attacking Application Logic
– VerSprite consultants enumerate and locate (e.g., input control through JavaScript) client-side controls to subvert any API logic, as well as identify and attempt to abuse any multistage processes, trust boundaries, and transaction logic.
-
Attacking Access Handling for Anonymous Use Case
– VerSprite consultants attempt to gain access through identifying weaknesses in an API’s endpoint authentication logic, including, but not limited to, brute-force techniques, password reset functionality and remember me functionality abuse, or complete authentication bypass using techniques such as SQL injection payload.
-
Attacking Access Handling for Credentialed Use Case
– VerSprite consultants use the credential user to evaluate and analyze what use cases could be abused during both anonymous and authenticated sessions, attack and test the API session handling mechanisms, attempt horizontal and vertical privilege escalation, and test the API’s authorization model and implementation. Our goal is to reach administrative functions that may be supported outside of the Application (i.e. – Platform).
-
Attacking Input Handling
– VerSprite uses a variety of manual, and commercial tools to test input related weaknesses in the Application. Applications will be fuzzed for vulnerabilities such as cross-site scripting, SQL Injection, and Path Traversal using the OWASP Top 10 and our 13 years of experience protecting organizations from a variety of threat actors as a reference point and attack model.
-
Attacking Web Services
– VerSprite security consultants test beyond the OWASP Top 10 and standard software vulnerabilities for Web Applications Services. Our team goes beyond these standards by using more adversarial attack patterns as part of our PASTA threat modeling approach that allows us to perform penetration testing that reflects realistic abuse cases based upon the industry, application type, architecture, and data model of the application.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
