Web Application Vulnerability Assessment
WEB APPLICATION ASSESSMENT
For a Web Application Assessment to be effective, it must combine automated and manual testing processes. LCM’s Web Application Testing always consists of automated and manual testing of Web Applications to ensure that all elements of the applications are tested while still focusing on higher-level issues that tools cannot uncover. LCM uses Qualys as the automated tool when performing Web Application Assessments.
Get Started on Your Web Application Assessment
APPROACH TO WEB APPLICATION ASSESSMENT
Using Qualys, LCM performs vulnerability scans on Web Applications. Web application assessment always combines automated and manual testing to benefit from the strengths of each. All findings generated by automated tools are manually validated to remove false positives. Levels of criticality assigned by automated tools are manually assessed for real-world accuracy using CVSS and considering the sensitivity of the data, the skill required to exploit, exposure, and collateral impact. Manual testing also focuses on higher-level issues that automated tools cannot find, such as flaws in business logic, workflow, browser variations, password reset mechanisms, escalation of privilege and separation of data, and the specific weaknesses of the underlying technology.
LCM recommends that a Vulnerability Assessment be completed in twelve phases:
Pre-test activities
Notifications
Reconnaissance and foot printing
Network layer assessments
Automated assessments
Manual validation of automated findings
Manual testing
Determining levels of criticality
Safeguarding data and client communications
Draft report
Client briefing
Final report and project close
WEB APPLICATION ASSESSMENT DELIVERABLES
A report of findings for the automated and manual testing consisting of:
Scan Summary Report: Report of findings outlining all of the vulnerabilities that were discovered along with recommendations from LCM Security.
Detailed Scan Results Excel Working Document: An excel spreadsheet view of all the found vulnerabilities. The results are based on the following criteria:
Hostname / IP Address
Impact
Criticality Level
Solution (Remediation steps)
Scan Details Documents: Raw results from the scanner in PDF format sorted by Vulnerability. This document is meant to provide additional information beyond what is available in the summary report or excel working documents.
WEB APPLICATION ASSESSMENT DELIVERY TEAM
Lead Assessor: An Information Security expert, possessing various certifications and a degree in information security. The assessor has a thorough understanding of the Vulnerability Management process and a deep knowledge of the technologies being reviewed.
Virtual CISO: An Information Technology leader with over 20 years of experience in Cyber Security consulting and Managed Security Services, with CISA and CRISC certifications.
Report Writers: Will develop final reports based on the findings of the assessment.