Attacks focused on exploiting vulnerabilities and design flaws that frequently plague many of today's Web-based applications is growing exponentially and organizations that fail to test for and address these issues often fall victim to costly compromises.  Although many organizations do an excellent job of securing their perimeter networks & systems from attack by using restrictive firewalls, sophisticated intrusion detection & prevention systems, and more, little is still being done to ensure that their publicly accessible

applications are secure.

Our team offers organizations testing that simulates real-world attacks against their Web-based applications which is designed to accurately identify security and applicable compliance issues. RVASI uses an assortment of automated & manual tools and techniques to perform an in-depth and comprehensive vulnerability assessment of your organizations internal and external Web-based applications.  At the conclusion of our testing, a findings report is provided which includes a detailed description of each issue, an associated severity rating, an exploitability risk rating, and one or more practical recommendations for addressing the issues throughout the System Design Life Cycle (SDLC).

Testing Performed

RVASI's testing includes checks for application security issues identified on the OWASP Top 10 list, and more:

• Unvalidated Input
• Broken Access Controls
• Broken Authentication
• Broken Session Management
• Cross Site Scripting (XSS) Flaws
• Buffer Overflows
• Injection Flaws
• Improper Error Handling
• Insecure Storage
• Denial of Service (optional)
• Cookie Poisoning
• Privilege Escalation
• E-Shoplifting Vulnerabilities
• Third Party Misconfigurations
• Backdoors and Debug Options
• Insecure Configuration Management
• Unintended Information Disclosure
• Unauthorized Access to Information
• and more...

Optional Compliance & Standards Testing

RVASI offers the following optional compliance and standards testing for organizations that must meet one or more regulatory compliance requirements or adhere to industry standards:

• GLBA Compliance
• HIPPA Compliance
• CA SB 1386 Compliance
• Sarbanes-Oxley Compliance
• VISA CISP Compliance
• Payment Card Industry (PCI) Data Security Standard
• Federal Information Security Management Act (FISMA)
• International Standards Organization (ISO) 17799

Process Overview

The first step in our process is to complete our Assessment Contact Form.  Once complete, a member of the RVASI team will contact the specified point of contact(s) within your organization and begin the process overviewed below:

•   Signed Mutual Non-Disclosure Agreement (MNDA)

RVASI requires organizations to sign a MNDA before proceeding with any assessment related activities including detailed discussions, interviews, or similar.  The primary purpose of this agreement is to govern the handling of confidential information shared between our organizations.

•   Scope Interview & Questionnaire

Unquestionably, this is one of the most critical phases in the entire process. Our team will meet with individuals at your organization via a conference call or other means and conduct one or more interviews in order to gain a thorough understanding of your desired testing goals/needs, security & compliance requirements, business risks, and other related factors.  We will then work on defining the scope. 

•   Statement of Work (SOW)

We will synthesize the information provided by your organization during the "Scope Interview" process into a customized and detailed SOW for the testing engagement; the completed SOW will be securely delivered to your organization for review, modification, and acceptance. 

•   Pre-Assessment Activities

A review of testing objectives, scope, and requirements will be done prior to the start of testing to ensure that everyone is on the same page.  Typically, this is accomplished via a conference call initiated by RVASI and includes organizational points-of-contact, IT security personnel, business stakeholders, and the team at RVASI performing the testing.

•   Penetration/Vulnerability Assessment Testing

During this phase, our team will conduct agreed upon testing and provide designated points-of-contact with status updates at agreed upon intervals i.e. daily, bi-weekly, etc. in a pre-selected secure format.  Contacts receive an automatic notification of all security or compliance issues discovered that pose an immediate threat to the organization's networks, systems, Web applications, or other information assets.  

•   Report/Wrap-up

At the conclusion of testing, RVASI delivers a detailed report of our findings that includes proven/practical recommendations for remediating, mitigating, and thoroughly understanding the risk of issues discovered.  We also meet and discuss each of our reported findings with key individuals within your organization and provide ongoing support & resources throughout the resolution process.

Return on Investment (ROI)

RVASI's Web application penetration testing services help organizations identify, understand, and address vulnerabilities, design flaws, and compliance issues affecting their organization's Web-based applications.  By doing so, it could ultimately save an organization thousands and possibly millions of dollars in losses to reputation, customer confidence, market share, productivity, legal recourse, and more. 

Cost

Our Web Application Penetration Testing Service is extremely affordable and priced within the security budget of most small to large organizations.   The cost of this service is primarily based on the complexity of the application, the scope of the engagement, and travel expenses if internally performed.  

Getting Started

To get this process started, please take a few minutes and complete our Assessment Contact Form and a member of the RVASI team will contact you soon.  We look forward to hearing from you!