Contact Us
Contact Us
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Web Application Penetration Testing

From reviewing every line of code to preparing your revenue generating websites for secure launch, our application penetration testing service covers a breadth of skill-set and experience.

Find out more
Download a complimentary copy

Are you happy for Defendza to keep you informed on the latest developments in cyber security (attack reports, guidance, DIY articles)? Of course you can unsubscribe at any time. Please see our privacy policy

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Portfolio

Security Assurance

With the increased threat of cyber attacks it is vital to manage the security of your web applications and their underlying systems in depth so that vulnerabilities are detected as early as possible. High-profile data breaches have made application security a boardroom issue and our customers are extra cautious about the applications that they bring into their IT environments. It is significantly less costly to remove a vulnerability before a service goes live than after it has been launched. 

Stop cybersecurity incidents turning into financial or reputational loss. Our Security Assurance services address the growing number and intensity of cyber threats in today’s digital era. We follow an application security testing methodology which is closely aligned with CREST's requirement as well as OWASP10-2017. 

Service Offering Insights

Why choose us?

  • Extensive sector-based experience
  • Focus on service quality, insight, and client business
  • Thorough analysis and reporting to cater management and technical audience
  • Our proposals are customer centric, no fixed sales packages offered
  • Aftercare support includes debrief and help with the remediation plan

Our qualifications

Defendza as a business, as well as its consultants, are equipped with some of the best-known certifications, accreditations and qualifications globally. These include CREST, GCloud 11 Framework, ISO quality management certifications for the business and our consultants are Ex Check Team Leaders/CCT Infrastructure (2012, 2015) and Web Applications (2009,2012,2015), OSCP (Offensive Security Certified Professional), CREA (Certified Reverse Engineering Analyst), CREA (Certified Binary Auditing Expert), CISSP (Certified Information Security Systems Professional), SANS GSEC & GCIH Silver (Hacker Techniques and Incident Handling), CCNA (Cisco Certified Network Associate), CEH (Certified Ethical Hacker). 

Key benefits

Conducting regular penetration assessment offers the following benefits:

  • Assess your security controls and approach towards cyberattack preparedness
  • Manage your network based risks in a structured and organised manner.
  • Evidence of compliance with ever changing regulatory/certification requirements.
  • Assess your corporate security culture including passwords, patching, and auditing, logging and information storage practices.
  • Assuring your supply chain (suppliers, vendors) that you take the security of your data seriously.
  • Protect your client loyalty and brand image by demonstrating security adherence.

A holistic approach to application security

Defendza Ltd is an accredited CREST penetration testing service provider. This ensures we adhere to high technical standards and code of conduct in place by CREST. Our holistic approach to application security is from our years of experience delivering engagements for clients in several sectors.

We believe that security should be embedded from the beginning of the life cycle. There is no shortcut approach or plugging security towards the end of the development process to achieve a secure product. We review the technical specification documents of the application before it goes into development. Our team would threat model the design to evaluate the threats during the data flow before the developers take over. We ensure secure coding practices are in use by the developers to lower the vulnerabilities caused due to the use of insecure libraries or modules.

All our application related services are designed at various stages of the product /application development discussed above.

Importance of application security

Applications, be it web, mobile, thick/thin, compiled, are a necessary part of doing business in a world where everything is connected to the internet. Insecure applications with inadequate security can result in attacks, and worst-case scenario – data breaches. Web application attacks are lucrative targets for online threat actors who are constantly looking for new ways to compromise business data and personal data.

Security is a key element that should be considered throughout the application development lifecycle, especially when it is designed to deal with critical business data and resources. Web application security testing ensures that the information system is capable of protecting the data and maintaining its functionality. The process encompasses analysing the application for its technical flaws, weaknesses and vulnerabilities, right from the design and development phase. 

Want to get in touch with our application security expert ?
Call Us Now

Our Approach

We base our application security assessment offerings on an extensive methodology that we have developed after years of experience working across several sectors. A cybersecurity consultancy must follow an approach that delivers expected returns on your investment. At a high level, our approach to application security assessments is:

Step. 1
Scoping and Customer Insight

When you decide to give us the go-ahead, our very first step is to gain insight into your motivation, so that we can advise on your real concerns. The comprehensive process we go through to understand this determines the vision for the project. At the technical level, this includes assets to be included, their fragility and importance to the environment. 

01

Step. 2
Planning

Based on the response received from the reconnaissance phase, the target list is prioritised. The priority would be based on "low-hanging" fruit that could aid in gaining a foothold within the network trivially. 

02

Step. 3
Threat Modeling

This phase helps to evaluate the threats affecting the web application under the scope. The types of attacks and likelihood of these threats materializing will serve as a basis for risk ratings / priorities assigned to the vulnerabilities during the assessment. Gaining insight into the threats identified, will provide a direction to this testing.

03

Step. 4
Reconnaissance - Web

This is an important step towards gathering as much information as possible about the target application. This includes passively fingerprinting the CMS and obtaining data cached in Google about the technologies /web pages in use. Any data obtained during this phase helps plan the entire pentest properly

04

Step. 5
Web Server Analysis

Web server hosting of the application is also considered a vital component during this testing. A weakness in supporting infrastructure including the configuration of the webserver could lead to a slight compromise of the application hosted on it. 

05

Step. 6
OWASP Top 10 Checks

Our consultants would focus on the top 10 categories of attacks defined by the industry-standard OWASP. This includes:

  • Injection,
  • Broken authentication,
  • Sensitive data exposure,
  • XML External Entities (XXE),
  • Broken access control,
  • Security misconfiguration,
  • Cross-site scripting,
  • Insecure deserialization,
  • Using components with known vulnerabilities and
  • Insufficient logging and monitoring

06

Step. 7
Business Logic Analysis

The business logic for the entire application must be reviewed. This is only possible after gaining an understanding of how the application behaves for different privilege levels. From the threat-modelling phase and the knowledge gained, our consultants will be in the position to exploit business logic level vulnerabilities that are often overlooked by the developers

07

Step. 8
Reporting

The assessment-execution phase is followed by the analysis & reporting. Defendza performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels. 

08

Testimonials

"My experience to date with Defendza has been very positive, I look for a flexible, knowledable security "partner" when I engage a PT firm. Pentest means many things to many people and there are many different use cases for both the testing activity and the report generated and I need someone to work with me to get the absolute best value out of my security budget."

Information Security Officer
Insurance Group

Excellent people to work with. Very good knowledge of requirement and give us correct findings with excellent remedy to improve our security for our B2B portal site."

Head of Technical & Business Improvement
Leading Pharmaceutical Manufacturer

"I thought it was a highly professional and thorough exercise and I would have no hesitation recommending Defendza to any of my connections."

Director, Software Engineering
Global Information and Analytics Company

"Good personal service. We are delighted with the work Defendza did for us. Highly recommended."

CTO
Manchester headquartered Global Fashion Brand

"Extremely satisfied with approach, speed and end results. Thanks."

COO
International fashion label and store

"My experience of the Defendza team was 5 star.  They were so helpful, and their technical delivery and client communication were excellent."

Director, Software Development
Corporate Services Company

Related News

15/08/2019

ECB shuts down compromised BIRD website

The European Central Bank (ECB) said that unauthorised parties had breached the security measures protecting its Banks’ Integrated Reporting Dictionary (BIRD) website, which is hosted by an external provider. As a result, it was possible that the contact data (but not the passwords) of 481 subscribers to the BIRD newsletter may have been captured. 

12/07/2019

Misconfigured Amazon S3 buckets results in compromised sites

More than 17,000 web domains have been infected with digital skimming code caused by the scanning of misconfigured Amazon S3 buckets. Threat actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains. 

21/04/2019

Most hacked passwords revealed

NCSC’s first ‘UK Cyber Survey’ shows 42% of Brits expect to lose money to online fraud. Breach analysis finds 23.2 million victim accounts worldwide used 123456 as password. Brits have been urged to apply steps to stay safe online after results of the UK Cyber Survey exposed exploitable gaps in their personal security knowledge.