Mobile Apps Pen Test
Security Reporting Standards
- Common Vulnerabilities and Exposures (CVE) Compatible
- Common Weakness Enumeration (CWE) Compatible
- Common Vulnerability Scoring System (CVSSv3) Compatible
- OWASP Application Security Verification Standard (ASVS v4.0.2) Compatible
Startup
MAPT
€ 2888
Small Dynamic Mobile Apps
Upto 5 Web Services
Small Games
Small News Apps
WebServices/APIs
Report in 3 Business Days
Best Value
SMB MAPT
€ 5250
Small eCommerce Apps
Basic eCommerce
Online Booking
Document Processing Apps
Upto 10 Web Services
Upto 10 Mobile EndPoints
Report in 4 Business Days
SME WAPT
€ 12228
Mid-Sized CRM
Mid-Sized ERP
HRM Mobile Apps
Multi-user Roles
Upto 15 Web Services
Report in 6 Business Days
valuable
Corp MAPT
€ 15888
Large Dynamic Mobile Apps
Multi-Role
Business Logic Testing
Mission-Critical Mobile Apps
Multiple APIs
Multi-Functional e-Banking
Human Resource Management – HRM
SAP, Oracle, Microsoft
Upto 25 or more web Services
Complicated CRM Mobile Apps
Red Teaming Exercises
Report in 8 Business Days
Covered vulnerabilities
SANS Top 25
- CWE-22: Path Traversal
- CWE-89: SQL Injection
- CWE-78: Command injection
- CWE-89: Blind SQL Injection
- CWE-79: Stored XSS
- CWE-90: LDAP Injection
- CWE-79: Reflected XSS
- CWE-91: XML Injection
- CWE-79: DOM-Based XSS
- CWE-93: CRLF Injection
- CWE-94: Code Injection
- CWE-113: HTTP Response splitting
- CWE-94: AJAX Injection
- CWE-200: Information Exposure
- CWE-94: JSON Injection
- CWE-255: Credentials Management
- CWE-97: SSI injection
- CWE-284: Improper Access Control
- CWE-98: Remote/Local PHP File Inclusion
- CWE-287: Authentication Bypass
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-site request forgery (CSRF)
- CWE-384: Session Fixation
- CWE-400: Resource Exhaustion
- CWE-434: Arbitrary File Upload
OWASP Top 10 for Web Apps
- O1: Injection
- O2: Broken Authentication
- O3: Sensitive Data Exposure
- O4: XML External Entities (XXE)
- O5: Broken Access Control
- O6: Security Misconfiguration
- O7: Cross-Site Scripting (XSS)
- O8: Insecure Deserialisation
- O9: Using Components with Known Vulnerabilities
- O10: Insufficient Logging & Monitoring
OWASP Top 10 for Mobile Apps
- M1: Improper Platform Usage
- M2: Insecure Data Storage
- M3: Insecure Communication
- M4: Insecure Authentication
- M5: Insufficient Cryptography
- M6: Insecure Authorization
- M7: Client Code Quality
- M8: Code Tampering
M9: Reverse Engineering - M10: Extraneous Functionality
Customised Security Assessment
- Full Customization of Testing
- Web Application Penetration Testing:
- SANS Top 25 Full Coverage
- OWASP Top 10 Full Coverage for Web & Mobile
- PCI DSS 6.5.1-6.5.11 Full Coverage
- AI to Augment Human Testing and Analysis
- Machine Learning to Accelerate Testing
- Authenticated Testing (2FA / SSO)
- REST/SOAP API Testing
- MITRE ATT&CK® Matrices for Mobile and Enterprise
PCI DSS
- Improper Access Control
- Insecure Communications
- Cross-Site Request Forgery (CSRF)
- Improper Error Handling
- Broken Authentication and Session Management
- Injection Flaws
- Several other “High” Risk Vulnerabilities
- Buffer Overflows
- Cross-Site Scripting (XSS)
- Insecure Cryptographic Storage
Security Assessment Methodologies
- OWASP Testing Guide (OTGv4)
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
- PCI DSS Information Supplement: Penetration Testing Guidance
- FedRAMP Penetration Test Guidance
- ISACA’s How to Audit GDPR
Security Reporting
Threat-Aware Risk Scoring
Tailored Remediation Guidelines
Web Interface, PDF and XML Formats
PCI DSS and GDPR Compliances
CVE, CWE and CVSSv3 Scores
Zero False-Positive SLA
Remediation
One Re-test after the Patch Verification