Description

Mobile Application Penetration Testing (MAPT)

Security Assessment

• Full Customization of Testing
• Web Application Penetration Testing:
• SANS Top 25 Full Coverage
• OWASP Top 10 Full Coverage
• PCI DSS 6.5.1-6.5.11 Full Coverage
• AI to Augment Human Testing and Analysis
• Machine Learning to Accelerate Testing
• Authenticated Testing (2FA / SSO)
• REST/SOAP API Testing

Reporting

• Threat-Aware Risk Scoring
• Tailored Remediation Guidelines
• Web Interface, PDF and XML Formats
• PCI DSS and GDPR Compliances
• CVE, CWE and CVSSv3 Scores
• Zero False-Positive SLA

Security Reporting Standards

• Common Vulnerabilities and Exposures (CVE) Compatible
• Common Weakness Enumeration (CWE) Compatible
• Common Vulnerability Scoring System (CVSSv3)

Remediation

Patch Verification Testing once

Covered Vulnerabilities

OWASP Top 10 for Web

• W1:Broken Access Control
• W2:Cryptographic Failures
• W3:Injection
• W4:Insecure Design
• W5:Security Misconfiguration
• W6:Vulnerable and Outdated Components
• W7:Identification and Authentication Failures
• W8:Software and Data Integrity Failures
• W9:Security Logging and Monitoring Failures
• W10:Server-Side Request Forgery

OWASP Top 10 for API

• API1: Broken Object Level Authorization
• API2: Broken User Authentication
• API3: Excessive Data Exposure
• API4: Lack of Resources & Rate Limiting
• API5: Broken Function Level Authorization
• API6: Mass Assignment
• API7: Security Misconfiguration
• API8: Injection
• API9: Improper Assets Management
• API10: Insufficient Logging & Monitoring

OWASP Top 10 for Mobile Apps

• M1: Improper Platform Usage
• M2: Insecure Data Storage
• M3: Insecure Communication
• M4: Insecure Authentication
• M5: Insufficient Cryptography
• M6: Insecure Authorization
• M7: Client Code Quality
• M8: Code Tampering
• M9: Reverse Engineering
• M10: Extraneous Functionality

SANS Top 25

Full Coverage of SANS Top 25 for all packages

• CWE-22: Path Traversal
• CWE-89: SQL Injection
• CWE-78: Command injection
• CWE-89: Blind SQL Injection
• CWE-79: Stored XSS
• CWE-90: LDAP Injection
• CWE-79: Reflected XSS
• CWE-91: XML Injection
• CWE-79: DOM-Based XSS
• CWE-93: CRLF Injection
• CWE-94: Code Injection
• CWE-113: HTTP Response splitting
• CWE-94: AJAX Injection
• CWE-200: Information Exposure
• CWE-94: JSON Injection
• CWE-255: Credentials Management
• CWE-97: SSI injection
• CWE-284: Improper Access Control
• CWE-98: Remote/Local PHP File Inclusion
• CWE-287: Authentication Bypass
• CWE-345: Insufficient Verification of Data Authenticity
• CWE-352: Cross-site request forgery (CSRF)
• CWE-384: Session Fixation
• CWE-400: Resource Exhaustion
• CWE-434: Arbitrary File Upload

PCI DSS

PCI-DSS

• Improper Access Control
• Insecure Communications
• Cross-Site Request Forgery (CSRF)
• Improper Error Handling
• Broken Authentication and Session Management
• Injection Flaws
• Several other “High” Risk Vulnerabilities
• Buffer Overflows
• Cross-Site Scripting (XSS)
• Insecure Cryptographic Storage

Security Assessment Methodologies

WAPT Assessment Methodologies

• OWASP Testing Guide (OTGv4)
• NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
• PCI DSS Information Supplement: Penetration Testing Guidance
• FedRAMP Penetration Test Guidance
• ISACA’s How to Audit GDPR