Security Testing is a type of software testing that is done to ensure that a system is not vulnerable to hostile actions or attacks, its data and functionality are protected from possible intentional or unintentional intrudes.
There is an unlimited number of ways to intrude into a system. The HireTester team provides testing of the basic application security level.
We use OWASP Top 10 to cover the most popular types of system penetration and corruption and act accordingly.
What We Do During Security Testing
Injection
Ensure that attackers can’t insert untrusted data into a query or a command and penetrate the system.
Broken authentication and session management
Check if the application components responsible for authentication and session management (passwords, keys, session tokens, etc.) are implemented correctly, and it is impossible to get users’ private data.
Cross Site Scripting (XSS)
Exclude the possibility of inserting any alien data into your application as well as verify the proper validation of input data sent from the application to a web browser.
Insecure Direct Object References
Find direct references to internally implemented objects, such as files, directories, or database keys. Ensure that they are protected, and attackers cannot use them to access any personal data.
Security Misconfiguration
Test if all infrastructure components are configured in such a way that hackers cannot corrupt the system corruption and steal data (not default configuration is used).
Sensitive Data Exposure
Ensure that sensitive data, such as credit cards, tax IDs, authentication credentials, etc., are sent to a web server by the HTTPS protocol and protected by safe encryption algorithms.
Missing Function Level Access Control
Verify if a check for sufficient access rights is performed when accessing every software function.
Cross Site Request Forgery (CSRF)
Confirm that it is impossible to send a forged HTTP request to a vulnerable web application, using session cookies or any other authentication information, to make the browser generate illegitimate requests.
Using Components with Known Vulnerabilities
Check if the system can be intruded, applying components provided by third-party companies and containing popular soft spots, like libraries, frameworks, etc.
Unvalidated Redirects and Forwards
Ensure that during redirects or forwards to other pages and websites, the input data is properly validated, and attackers cannot redirect users to forged and malware websites.
Multi-Level Approach to Security Testing
Software scanning
First, we use such automation tools as Acunetix Web Vulnerability Scanner, Netsparker, Vega Vulnerability Scanner, and OWASP Zed Attack Proxy (ZAP), to scan the software and find vulnerabilities.
Deeper check
Then, we perform an additional manual check, imitating the actions of intruders, to analyze your application deeper and exclude the possibility of illegal system penetration.
Detailed reporting
Next, we provide you a detailed report on detected vulnerabilities and their danger level for the application and its users.
Regression testing
After eliminating vulnerabilities and if there are no other threats, we run regression testing and provide you a final report on basic security.