Armour Infosec uses methodology which are set of security industry guidelines on how the testing should be conducted.
There are some well-established and famous methodologies and standards that can be used for testing, but since each web application demands different types of tests to be performed, testers can create their own methodologies by referring to the standards available in the market.
The popularity of web applications has also introduced another vector of attack that malicious third parties can exploit for their personal gains. Since web applications usually store or send out sensitive data, it is crucial to keep these apps secure at all time, particularly those that are publicly exposed to the World Wide Web.
The methodology is nothing but a set of security industry guidelines on how the testing should be conducted. There are some well-established and famous methodologies and standards that can be used for testing, but since each web application demands different types of tests to be performed, testers can create their own methodologies by referring to the standards available in the market.
Some of the Security Testing Methodologies and standards are :
|
OWASP Top 10 – 2013
|
OWASP Top 10 2017
|
OWASP Top-10 2021 proposal
|
|---|---|---|
|
A1 - Injection
|
A1 - Injection
|
A1 - Injection
|
|
A2 - Broken Authentication and Session Management
|
A2 - Broken Authentication
|
A2 - Broken Authentication
|
|
A3 - Cross-Site Scripting (XSS)
|
A3 - Sensitive Data Exposure
|
A3 - Cross site scripting (XSS)
|
|
A4 - Insecure Direct Object References
|
A4 - XML External Entities (XXE)
|
A4 - Sensitive Data Exposure
|
|
A5 - Security Misconfiguration
|
A5 - Broken Access Control [merged]
|
A5 - Insecure deserialization
|
|
A6 - Sensitive Data Exposure
|
A6 - Security Misconfiguration
|
A6 - Broken access control
|
|
A7 - Missing Function Level Access Control
|
A7 - Cross Site Scripting (XSS)
|
A7 - Insufficient logging and monitoring
|
|
A8 - Cross-Site Request Forgery (CSRF)
|
A8 - Insecure Deserialization
|
A8 - Server Side Request Forgery
|
|
A9 - Using Known Vulnerable Components
|
A9 - Using Components with Known Vulnerabilities
|
A9 - Using components with known vulnerabilities
|
|
A10 - Unvalidated Redirects and Forwards
|
A10 - Insufficient Logging &Monitoring
|
A10 - Security misconfigurations
|
*Highlighted text are tested for web pentesting
Before an application assessment can take place, Armour Infosec defines a clear scope of the client. Open communication between Armour Infosec and the client organization is encouraged at this stage to establish a comfortable foundation from which to assess.
Our engineers collect as much information as they can on the target, employing a myriad of OSINT (Open Source Intelligence) tools and techniques. The assembled information will assist us with understanding the working states of the association, which permits us to evaluate the risk precisely as the engagement progresses.
At this stage, we consolidate computerized contents and instruments, among different strategies in further developed data gathering. Our experts closely inspect any conceivable assault vectors. The accumulated data from this stage will be on the basis for exploitation in the upcoming stage.
In this step, we initiate both manual & automated security scan to find all possible attack vectors & vulnerabilities. After this, we run exploits on the application to evaluate its security. We use different methods and open-source scripts and in-house tools to gain a high degree of penetration. All these are done cautiously to secure your application and its information
This is the final stage of the whole assessment process. In this stage, the Armour's analysts aggregate all obtained information and provide the client with a thorough, comprehensive detailing of our findings. Our team will discuss the report and find the appropriate solutions for the bugs located. After that, a comprehensive discussion will be carried out to fix these vulnerabilities .
Planning Phase:
We define the scope of our testing before starting our test efforts. The tester should be aware of the HTTP/HTTPS protocol basics and know about the Web Application Architecture and traffic interception methods. Review the test results to understand what vulnerabilities existed in the past and what remediation was taken to resolve.
Attacks/Execution Phase :
Testers should ensure to run tests with users having different roles since the system may behave differently with respect to users having different privileges. To ensure test results are properly shared with all stakeholders, testers should create proper reports with details on vulnerabilities found, the methodology used for testing, severity, and the location of the problem found.
Post Execution Phase :
After the remediation is taken and implemented, testers should retest to ensure that the fixed vulnerabilities did not appear as part of their retesting.
Armour Infosec provided to the point and in-depth vulnerabilities details, which was greatly beneficial to us. We are an exclusive community of testers delivers the real-time insights you need to remediate risk quickly and innovate securely.