Application testing is one of our core services. We are able to assess the security of any type of application. We most commonly deal with the following broad categories of applications:
If your app doesn’t fit into one of the boxes above, fear not! To put it simply: If it’s written in code, we can test it. Regardless of the programming language(s) used, or platform developed for, we can perform a thorough security assessment, improve the security posture of your application and ultimately add value to your wider security processes.
Enquire about Application Testing
Get in touch to find out more or to arrange a scoping call.
What is Application Penetration Testing?
Application Penetration Testing involves simulating real-world cyberattacks to identify vulnerabilities in software applications, websites and mobile apps that could be exploited by a malicious actor. Our experts at System Secure uncover these issues, and advise on how to proactively safeguard sensitive data, reduce the risk of security breaches, and ensure compliance with industry regulations.
Our penetration testing services are tailored to support any required compliance framework, including:
- PCI DSS – Requirement 11
- ISO 27001 – control objective A12.6
- General Data Protection Regulation (GDPR) – Article 32.1d
Web Application Testing
We deem a “web application”, or web-app, to be any application that you would access through a web browser. It might be an external (Internet-facing) application such as a corporate website or cloud SaaS platform such as Outlook365, HubSpot or Trello. Or it could be an internal application that is only accessible via a local company network or VPN.
Every web application will have its own unique features and potential risks. The OWASP foundation reports on the top ten vulnerabilities that are exploited by cyber-criminals however these risks adapt and change over time. Regular, thorough testing is the best way to identify potential threats in order to take preventative measures.
Our web application assessments can be approached from the following three ways:
- Black Box – Simulation of an unauthenticated attacker with no prior access or knowledge of the application. No privileged access such as user login credentials, documentation or source code is provided. We are given the target URL and network-level access to an application, but that is it.
- Grey Box – Similar to black box, but we are provided with test user accounts so that we can access all areas of the application in order to thoroughly test all areas of the application and more efficiently test for issues relating to user permissions. This is particularly suited to applications that have multiple user roles such as User, Moderator, Administrator, etc.
- White Box – As with Grey Box, but we are additionally provided with the application source code and design documentation where required. This is the most ideal method to ensure the most thorough and efficient test.
Mobile Application Testing
Testing applications that run on a mobile device, most commonly iOS and Android applications.
While mobile applications may not have the same level of security as other types of software, they do have some unique considerations that need to be taken into account during penetration testing. For example, mobile apps run on a device that can be lost or stolen at any time; this means you need to make sure your app is secure against local attacks by an adversary in possession of a device.
There is a lot of cross-over between mobile and web-app testing as they typically talk to web API’s, meaning that a lot of the server-side vulnerabilities that we test for, are the same. What happens on the client-side, (i.e. stuff happening on the mobile device) is different though, areas such as how the app stores sensitive data on the device, whether the app can be attacked by other malicious apps, and so on.
We would always ask that “shielding” features such as jailbreak/root detection, SSL pinning and code obfuscation are removed in the application that is to be tested, in order for us to test most efficiently.
This can also be approached in the Black, Grey and White box manner as with web-app testing. This service is commonly blended with our web API testing service.
API Testing
Many modern web applications, mobile applications and thick clients communicate with APIs. This is a way of retrieving information by computer systems in an efficient, parsable format which often isn’t the most visually appealing or readable by a human. For this reason it’s normally going on behind the scenes.
Often an API is included within the scope of a web-app or mobile app test, but they can be tested on their own in isolation. Clients would provide us with a list of API endpoints to be assessed. Generally, they would provide API documentation in the form of a postman collection, swagger or otherwise, which defines exactly what each API endpoint expects in terms of input as well as what format they would typically return any output in. We would then test whether the API endpoints could be misused in any way, as well as testing for any authorisation flaws. Ultimately the APIs operate over HTTP and we would be intercepting and manipulating HTTP requests as we normally would in any web-app or mobile app test.
Thick Client / Desktop Application Testing
These are applications that are installed on, and accessed from a laptop, desktop or server themselves. This is as opposed to web applications that would be accessed via a browser.
Data in-transit between the application and remote server is assessed to determine whether it is appropriately encrypted and whether it can be tampered with at all. This is to evaluate whether a malicious party can gain access to additional data or functionality.
Data at-rest is assessed to ensure that it is stored securely on the filesystem.
The application itself is also assessed to confirm whether it can be manipulated at runtime, to perform actions that are unwanted or grant unauthorised access to sensitive data.