To request an assessment of your Web application, please fill out the Web Application and System Vulnerability Assessment Request Form.
The Web App Assessment Process
The basic Web Application Assessment entails a three step process:
- Once the request form is submitted, a security analyst will be in touch to discuss details of your website. Requests are handled in the order they are received and an analyst will typically be in touch within 24-48 hours. Safeguards, such as backups, assessing a development/acceptance server, and assessing during off-peak hours, are also discussed to ensure that recovery can be performed in the event of a problem. This initial contact will also serve the purpose of getting the analyst familiar with the site and the administrator and developer of the site.
- The assessment will be performed at the predetermined time discussed in step 1. The assessment is made up of automated scanning, along with manual scanning to discover parts of the application that are missed and to verify false positives found by the automated process. To the web application, manual testing is typically similar to a regular user browsing/using the application. On the other hand. automated scanning is typically a rapid fire scan of the site and can cause additional load on the website. Safeguards discussed in step 1 should mitigate problems caused by automated scanners. Depending on site size, the assessment process can take several days. The OWASP Top 10 has a concise list of the type of issues that are found during the assessment process.
- Results of the assessment are presented to the developer and/or network contact. These results typically are made up of a summary report and the results of the automated scanner. The summary report discusses the issues with site, where they are found, and steps for remediation. The automated scanner report is typically much longer and contains both information about what is found, along with detailed information about requests. This is typically helpful for the developer since it lays out all information about a specific issue. After the assessment is finished and the issues are remediated, subsequent scans can be requested in order to assure that the problem has been fixed.
Web App Assessment Goals
The goal of these assessments is to provide feedback about the security of a website, to educate developers and administrators about the consequences of web application weaknesses, and to raise awareness about web application security. As with most technology, web applications are evolving targets and require persistent testing and assessment.