PROFILING

Web Application Security Blackbox

Essentials

The Black Box Web Application Assessment is designed to treat the application as an “unknown entity”; therefore, no knowledge of the tiers is provided. SecureState will attempt to bypass security restrictions from a no-knowledge hacker perspective. We will initiate an attack against the application and attempt to circumvent and bypass specific security restrictions on the site. These attacks typically rely on automated scans; however, a large portion is still manual. SecureState utilizes multiple web application scanners such as Burp Suite’s Active Scanner, w3af, SkipFish and Acunetix during all Black Box Assessments. A Black Box Web Application Assessment is an important part of a Secure SDLC.

A Black Box Web Application Security Assessment represents 70% automated tools with 30% manual techniques
Black Box Web Application Security Assessments find many of the OWASP Top 10 Vulnerabilities, such as SQL Injection and Cross-Site Scripting (XSS)

Benefits

With Black Box testing, SecureState will not test the business logic of the web application, or attempt to understand how vulnerabilities may affect users of the system; except for the authentication/authorization functions. However, Black Box testing will help to identify many of the OWASP Top Ten vulnerabilities that are common to web applications. All tests will be made against the external application and SecureState will not use credentials to test the application (unless accounts can be harvested from the site), which truly makes the application assessment a “blind test.”

Expertise

SecureState has been testing clients’ Web Application Security (WAS) for over nine years, and the Assessment remains one of our core services. Therefore, we perform many of them for hundreds of clients. Our experience and expertise has led us to follow a very detailed and structured methodology based on OWASP for performing WAS Assessments. SecureState uses the mindset and methodology of a hacker, to attempt to exploit vulnerabilities and misconfigurations in the application. There isn’t a better way to approach Web Application testing.

Get Scoping Questions Now!

Fill in your details and you can download a FREE questionnaire to ask your vendors.

Your Name

Your Phone

Your Email

Your Company

We will not share or distribute your email to anyone. It will be used solely to contact you about the service you have inquired about.

Did You Know?

A Black Box WAS Assessment simulates an attacker having no knowledge of the application
Black Box WAS Assessments are an important part of any SDLC
Black Box WAS Assessments provide results quickly and accurately through manual validation of vulnerabilities
Web Application Assessments should be performed whenever there are code or infrastructure changes

Our Approach and Methodology

The SecureState Profiling Team are well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115, OWASP and OSSTMM.By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The SecureState Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. Our Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.

Phase I – Pre-engagement Interactions:

In this phase, SecureState works with the client to establish the rules of engagement and scope. We also exchange contact information of both parties as well. Next, we provide a detailed Project Charter which contains information regarding scope and everything that will be required to conduct the testing. The Project Charter is discussed on the kickoff call prior to the beginning of the engagement.

Phase II – Information Gathering:

SecureState gathers the URL that is in scope and determines what type of web application vulnerability scan needs to be conducted. Depending on the design and complexity of the web site, a manually assisted or fully automated scan will be conducted.

Phase III – Vulnerability Scanning:

In the case of a manually assisted vulnerability scan, SecureState will navigate the web site and use an active web application vulnerability scanner on each page of the application. In the case of a fully automated scan, SecureState will configure the vulnerability scanner to automatically scan the website. Upon the clients request, this scan can be scheduled to be performed off hours or during maintenance windows if applicable. SecureState only uses the best open source and commercial web application security vulnerability scanners such as Burp Suite’s Active Scan, w3af, SkipFish and Acunetix.

Phase IV – Manual Validation:

Upon completion of the vulnerability scanning phase, SecureState will manually validate all High and Extreme vulnerabilities discovered. For example, if SQL Injection is found, SecureState will determine if the vulnerability is exploitable. In addition, any Extreme findings confirmed will be immediately communicated to the client.

Phase V – Reporting:

As part of the deliverable, SecureState provides a report which contains a short graphical summary aimed at senior management. Additionally, a narrative body which details major findings and a detailed findings section aimed at technical staff is provided. SecureState also provides a closing call and high level executive presentation to summarize the penetration test, as well as provide an opportunity to ask questions about the engagement.

What Makes Us Different

SecureState uses a team based approach for all Web Application Security Assessments
Utilizes proprietary Vulnerability Linkage Theory (VLT) to achieve a greater attack
Demonstrates proprietary tools to Clients during on site Web Application Security Assessments
Publishes our own Exploits, Zero Days and Tools to the Information Security Community
Profiling Team members are known as experts in Web Application Security Assessments worldwide
Contributed significantly to OWASP’s Web Application Testing Guide project
Profiling Team members are frequent speakers at national and world-wide security and hacking conferences such as DEFCON, Black Hat, OWASP AppSec, SANS, ShmooCon, THOTCON, DerbyCon, ToorCon and more
Conducts all external Web Application Security Assessments from our state-of-the-art hacking war room in SecureState’s world headquarters, a DOD cleared facility
Provides a secure two-factor authentication web portal for access to Web Application Security Assessment results
Follows industry standard testing methodologies, vulnerability rating systems and uses real attack data collected by SecureState through years of assessments to compare your company to your industry peers from a security perspective

Related Services

Downloads

We Can Help You

Generate New Image

Enter the code from above.