Software Penetration Testing

Testing is our forte

Software Penetration Testing addresses the following technology challenges:

  • Minimize amount of security vulnerabilities in developed or integrated software solutions;
  • Protect Intellectual Property (IP) contained within developed software solutions;
  • Minimize STRIDE threats.

Clients are usually seeking for the service in case under the following circumstances:

  • Software solution already exists (released or about to be released);
  • A security issue was discovered and/or exposed to the public;
  • Lack of internal expertise and/or resources to perform software penetration testing;
  • Compliance requirement of external audit;
  • Source code may not be available or client is not willing to provide the source code.

Typically, the following additional work may be resulted from the service:

  • Software Security Trainings;
  • Ongoing Security Advisory Consulting for Development teams;
  • Implementation of fixes for identified security issues.

eWebStudy provides software penetration testing (also known as ethical hacking) services for web-based solutions. Software Penetration Testing is helpful to get a quick assessment of your web-based system's security level for the most typical issues using a 'black-box' approach, without looking "under the hood". This testing simulates typical behavior of malicious users who will try to attack your system.

Testing is performed using OWASP (www.owasp.org) recommendations. The process is divided into the following phases:

  • Information gathering and application structure analysis;
  • Penetration tests for selected entry points;
  • Analysis and exploitation of identified vulnerabilities.

The Information-gathering and application structure analysis step is used to analyze the application structure and potential entry points, which might be used by an attacker.For each potential target, penetration tests are performed to check the existence of most known-types of vulnerabilities, such as various types of injections, session management flows, business logic flows and others.

Identified vulnerabilities may not always result in a serious threat to the system. For that reason, each identified vulnerability is reviewed by eWebStudy security advisors to analyze its potential impact.

For issues which are classified as high-risk ones, a vulnerability exploitation attempt is performed to further investigate each problem.

As a result, the client gets a full report of identified vulnerabilities and their associated risk levels, with minimal amount of false positives. This information helps to understand if more sophisticated measures are required to ensure the proper security of the system. For more information of the eWebStudy testing portfolio, contact us today.