Continuous Penetration Testing for a Web Development Company
Checking the security posture of web applications
Web development
Penetration testing
2 years
Project idea
For nearly two years, we have partnered with a prominent UK web development company that creates custom websites and web applications for the UK and EU markets. Our goal has been to ensure the security of their products with the help of penetration testing before the release.
We were responsible for
- Security validation of the web apps, websites, mobile applications, and APIs before deployment
- Identifying and remediating vulnerabilities to prevent any malicious exploitation
- Performing Gray Box penetration testing
What we did
We needed to test the security of client’s websites, web and mobile apps, and APIs. Here’s a breakdown of what we did to complete the testing.
Web app testing
Components Custom web applications
Focus areas
Input validation and output encoding
Authentication and authorization processes
Session management and data storage
Business logic implementation
Key findings
Multiple instances of XSS vulnerabilities (identified and mitigated)
SQL injection flaws in several applications (handled)
Possibility of session fixation and hijacking attacks (session management improved)
Mobile app testing
Components Native and hybrid mobile apps
Focus areas
Secure storage of sensitive information
Proper implementation of authentication mechanisms
Protection against reverse engineering
API interactions and data transmission
Key findings
Issues with sensitive data being stored insecurely on devices (found and addressed)
Possibility of unauthorized access (authentication enhanced)
Possibility of reverse engineering attacks (obfuscation techniques implemented)
API Testing
Components RESTful and GraphQL APIs used by web and mobile solutions
Focus areas
Input validation and parameter handling
Authentication and authorization
Rate limiting and error handling
Data exposure and privacy
Key findings
Issues that allow unauthorized access to certain API endpoints (fixed)
Some sensitive data was inadvertently exposed through APIs (fixed)
Possibility of abuse and denial-of-service attacks (rate limiting applied)
Continuous Improvement
Feedback loop We regularly provided detailed reports to the development team and conducted follow-up testing to verify the effectiveness of implemented fixes
Training and awareness
We delivered training sessions to the client’s team on secure coding practices for web, mobile, and API solutions.
Security integration
Our team assisted in integrating security checks into the development lifecycle and recommended tools and processes
for ongoing security monitoring and testing.
Methodologies used
Our approach has consistently been Gray Box testing which means the tester has partial knowledge of the system (like credentials or internal documentation). It helped us to provide in-depth security evaluations with only partial system knowledge.
Other methodologies included:
Gathering information through reconnaissance and review of provided documentation.
Using automated tools for initial vulnerability scanning.
Conducting extensive manual testing to identify complex vulnerabilities and logic flaws.
Collaborating with the development team to understand specific application behaviors and potential attack vectors.
Results
The partnership was effective for our client and brought fruitful results.
All issues with web and mobile apps and APIs were quickly found and eliminated.
We significantly improved our client’s security posture and made sure all releases were good to go.