Website Security Audit Assessment Service

    Website Security Assessment Auditing Service

    Identify web application security issues with our website security audit service.

    Request a Quote

    Our web application security assessment service simulates a real-world attack, identifying security issues within your organisations web applications, website and web services such as REST and SOAP API’s. Identified security issues are documented in a severity ordered report with clear recommendation instructions, allowing your organisation to fix and secure identified security issues. Fixing the identified security proactively will help prevent your web applications becoming compromised, potentially breaching sensitive and personal information which could lead to brand damage.

    Our website security assessment services are carried out by experienced, certified security consultants. A web application audit will help your organisation:

    • Understand security issues within your applications or infrastructure
    • Understand the level of risk each security issues poses
    • Fix identified application security issues

    What is a Web App Security Assessment?

    Web application security assessment also known as a website security assessment is a point-in-time security audit of a website (web app) that provides a deep dive analyses identifying any security issues within the web application. Unlike our penetration testing service, a web application security assessment focuses specifically on identifying security issues and vulnerabilities within the web application and the web server configuration.

    Service Summary:

    The following issues are assessed during a web application security assessment:

    • Information Gathering
    • Web Server Configuration Security Audit
    • Identity Management
    • Authentication
    • Authorisation
    • Session Management
    • Data Validation
    • Error Handling
    • Weak Cryptography
    • Logic Flaw
    • Client side

    We providing a clear easy to understand report with recommendations and fix instructions, allowing your team to resolve discovered security issues.

    Why you should perform a Web Application Assessment

    Performing a website security audit will enable your organisation to identify and fix potential vulnerabilities and security issues within your web applications or web servers.

    Web application assessments combines both automated vulnerability scans and advanced manual web application security to ensure all areas of your web applications are assessed. Our assessment use industry-approved methodologies, and our consultants are both CREST & OSCP certified.

    Test your Controls or Cloud Security

    Web applications are inherently insecure, while the industry has made significant improvements in recent years with the adoption of open source frameworks mistakes are still common and a number backends are now often insecurely exposed, a reflection of this is insecure API access being recently added to the OWASP 2017 top 10. Assessment covers all areas of the OWASP top 10 and test your host or cloud providers security control to help ensure your applications are secure and not vulnerable to attack.

    API Security Assessment Services

    Modern web applications typically use frameworks with API backends and are essentially front ends for users that send requests to a backend SOAP or REST API also known as a RESTful web service. Incorrectly secured API’s are easy to exploit and endpoints that do not have the correct controls in place to rate limit malicious users are particularly susceptible to automated attacks.

    Website Security Assessment Service

    Aptive provide website security assessments, which we treat as the same service as a web app security audit. Our in-depth web app security audits use an OWASP based methodology where all areas of the OWASP top 10 are assessed.

    Methodology

    Our internal web app security audit methodology is based on the OWASP ASVS framework (Open Web Application Security Project).

    Final Deliverables

    Aptive provide a clear easy to understand report that provide an executive summary narrative, a technical summary, graphs that clearly display the discovered vulnerabilities and the assigned severity. Each web app security issue has a CVSSv3.0 assigned score, business impact, summary, technical description, evidence and our recommendation for remediation or mitigation.

    In addition to the report we provide a remediation plan spreadsheet for your team to work through during the remediation phase of the assessment. During the remediation phase of the assessment we are available for any questions or clarification that you may require, by email or phone.

    After the remediation work has been completed by your team, we provide free retesting for all discovered web app security issues.

    If any high or critical severity issues are discovered during the web application security assessment, we will notify you immediately.

    Typical Costs
    TypeStarting PriceDescription
    Web Application 1Contact UsAssessment covers 25 static/dynamic pages or tabs, 2 user role authorisation testing (1 authenticated + anonymous). 1 x file upload function and all areas of the OWASP testing methodology and is assessed manually by a consultant who holds the CREST certified Web Application Tester (CCT) certification.
    Web Application 2Contact UsAssessment covers 50 static/dynamic pages or tabs, 4 user role authorisation testing. 3 x file upload function and all areas of the OWASP testing methodology and is assessed manually by a consultant who holds the CREST certified Web Application Tester (CCT) certification.

    Typically around one week for a small web application:

    The Open Web Application Security Project (OWASP) refers to web application security audits that follow the OWASP methodology.

    The OWASP organisation is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

    The OWASP top 10 are listed below:

    • OWASP Top 10
    • A1    Injection
    • A2    Broken Authentication and Session Management
    • A3    Cross-Site Scripting (XSS)
    • A4    Insecure Direct Object References
    • A5    Security Misconfiguration
    • A6    Sensitive Data Exposure
    • A7    Missing Function Level Access Control
    • A8    Cross-Site Request Forgery (CSRF)
    • A9    Using Components with Known Vulnerabilities
    • A10    Unvalidated Redirects and Forwards

    In short the OWASP top 10 represents the top 10 most critical web application security issues and vulnerabilities.

    OWASP testing, typically refers to a web application test that uses a methodology based on the OWASP testing guide, which is regarded as an industry approved web application security methodology.

    Yes, by our definition a website security assessment is the same service as web application audit. Almost all modern websites are web applications, meaning they perform functions and render dynamic pages typically from back end databases. A CMS is a good example of a web application. Such as WordPress, Joomla, Drupal or in house web applications built from scratch or using opensource frameworks and libraries.

    After the scoping process, a security consultant will assess the web application for security issues, report on the security issues and deliver the final report with clear remediation instructions documented. After remediation work is completed by the client a free retest is conducted by Aptive, helping ensure the previously reported security issues are resolved.

    No, In the interest of optimising testing time and identifying as many security issues as possible clients have the option to make the web application source code available. But the assessment is not a full source code audit / code review.

    Typically a web application assessment is a Grey Box test, a combination of white & black box testing. Meaning that some knowledge of the environment and test accounts are provided to assist the testing process and the assessment is typically assessed from a user prospective.

    More Questions?

    Why use Aptive for Web Application Testing

    CREST Registered Testers

    Testing performed by CREST registered consultants.

    OWASP Members

    All our testers are members of OWASP.

    OWASP Testing

    Aptive performs security testing based on the OWASP testing methodology.

    Easy to Understand Reports

    Discovered security issues in severity order with remediation instructions.

    Fixed Price Proposals

    Transparent costs and fixed price proposals, giving you peace of mind.

    Custom Testing

    Custom Testing tailored to your business requirements.


    1. Scoping
      Working with you to identify all systems / applications that need testing.

    2. Web App Testing
      completed by our CREST accredited team, this process uses a large range of attack methodologies.

    3. Reporting
      Delivering a clear easy to understand severity ordered report, detailing identified issues and associated remediation steps.

    4. Debrief
      Further explanation and demonstrations of vulnerabilities / exploits.

    5. Re-testing
      Free re-testing is included with all our services, helping your business reduce security risks.

    Why perform Web Application Testing?

    Real-world attack simulation

    Execute a real-world attack and understand the level of risk that exists at a single moment in time.

    Confirm Findings

    Complement your automated scanning to better identify and validate all security vulnerabilities.

    Management Understanding

    Provide management with an understanding of the level of risk introduced by the web application.

    Plan Mitigation

    Plan a cost-effective and targeted mitigation approach from idenitified security issues.

    Regulatory Requirements

    Various standards such as ISO27001 and PCI DSS require a website security testing.

    Information Security Strategy

    Create a foundation for future decisions regarding information security strategy and resource allocation.

    Sources: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents