Web Security Audit is combination of Penetration Testing and Code Review Methodology. It is a process of evaluating the security of a Web system by simulating attacks and reviewing the code of the web application, the process involves an active analysis of the application for any technical flaws or vulnerabilities.
Tasks typically include:
- Configuration Management Testing
- Business Logic Testing
- Authentication Testing
- Authorization testing
- Session Management Testing
- Data Validation Testing
- Denial of Service Testing
- Web Services Testing
- Input validation Check
- Source code design Check
- Information leakage & improper error handling
- Direct object reference Check
- Resource usage Check
- API usage Check
- Best practices violation Check
- Weak Session Management Check
- Using HTTP GET query strings Check
The Web system is vulnerable due to web network weakness or logical programming error, in Web Security Audit we check both web network as well as the coding error. The Web Security Audit exercise is based on industrial standard such as Open Web Application Security Project (OWASP).
Best Web security audit exercise has two Phases of testing, during 1st Phase of testing the security gaps has been identified in the system and a set of Countermeasure solution has been recommended to bridge these gaps. During 2nd phase of testing we recheck the system and get conformation of gap removal form the system.
A Web Security Audit exercise will help any Web system to
- Identifying vulnerabilities along with corresponding countermeasures.
- Mitigate Security Risk.
- Provide Assurance to partners and user.
- Identifies security gaps