EWA-Canada's methodology for application security testing is based upon the Open Web Application Security Projects (OWASP) standards for designing secure applications, as well as their standards for testing and penetrating application security. Unlike network and system testing, where the work primarily involves testing to identify known vulnerabilities in specific technologies, the custom nature of most applications significantly reduces the effectiveness of automated tools. As a result, valid web application testing requires specialized tools and techniques, and, more importantly, experienced and knowledgeable testers who can understand and test custom applications. Specifically, while the testing of web based applications starts with specialized automated web application test tools, the majority of the testing results from the security analyst fully exploring and examining an application's functionality in detail using a web browser and proxies.
While EWA-Canada has performed uninformed “black-box” application security testing, our preference is to work with our clients to conduct informed testing with our tester normally having access to the application’s designers and documentation. We have found this approach provides the most cost-effective and thorough method of assessing an application’s operational security.
EWA-Canada has extensive experience assessing multi-tiered applications implemented using a variety of frameworks and technologies, and our web application security testing methodology can identify over 40 types of potential application vulnerabilities in the following categories:
- Configuration Management;
- Business Logic;
- Session Management;
- Data Validation;
- Denial of Service;
- Web Services Testing; and
- AJAX Testing
Please Contact Us for further information.