Overview

Web application pen-testing is done by certified WAPT experts who have extensive experience in web application development and pen-testing. We do not rely just on tools to blindly create a report and throw it at the customer after modifying it. The process and the approach is a combination of manual and automated testing. Furthermore Orchidseven is a vendor neutral body and does not endorse any specific product or tool for its testing. You might be interested in taking a look at The WAPT Certification  to understand the kind of skill set the consultant's posses.

Process/Approach
Generally if the URL is online and can be remotely accessed our experts will remotely conduct the entire testing to reduce your cost. If the application is custom made and deployed on an intranet, we can test the application on site. Alternatively you might want to certify one of your internal staff, on WAPT track to conduct regular in-house audits.

What will we commonly check?
Some of the things we check include:
  • SQL Injection
  • Cross site scripting
  • Cross site request forgery
  • Testing of open source applications (Drupal, PHPBB, Moodle etc)
  • AJAX Security
  • Web Component Security (includes .Net & J2EE)
  • Payment Gateways

Reports given:
In most cases apart from in-depth technical reports and executive summary for the management we will provide videos of the attacks conducted on your web applications. These will help you technically understand the real scenario than just blindly trusting the reports submitted. It is entirely your responsibility to keep the reports/videos confidential. As per our policies, Orchidseven will not keep any copies of the confidential reports.

Contact : sales [at] orchidseven.com