Technically, WAA is a cloud service that provides automated crawling and testing of client’s web application to identify vulnerabilities including but not limited to cross-site scripting (XSS), SQL injection, Cross Site Request Forgery (CSRF) and others. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure many websites.
Built on the world’s leading Cloud security and compliance platform, our WAA service frees you from the substantial costs, resources and deployment issues associated with other traditional software tools. This service offers tools, ease of use, and unparalleled scalability to scan thousands of web applications.Get in touch now
The objectives of Web Application Assessment service are:
Identify security vulnerabilities and issues that exists in customer’s web site which may be exploited by malicious attackers. Improve the security posture of customer’s web application by providing remediation guidelines following the analysis of identified vulnerabilities.
Scope of Service
The scope of the Web Application Assessment service includes web sites specified by the customer. Cloud4C performs the Web Application Assessment in two formats:
- External Web Application Assessment: Performed remotely against customer’s web site(s) that are publicly accessible.
- Internal Web Application Assessment: Performed from within the premises of the target organization. This type of scanning is usually performed against web sites and application accessible to organization employees, contractors, and guests from within organization’s network such as internal portal.
Process of Assessment
Web Application Assessment is usually performed according to the following steps:
Scan and crawl:
Gather information about the running web application including network ports, web server version, installed modules, version numbers, and crawl through all folders and les that may exist on the web site.
Building on information gathered in the previous phase, we will assess the existence of web vulnerabilities or security misconfiguration by sending specially crafted requests to the web application to identify vulnerabilities and security weaknesses.
Review of the application responses to web requests made in the previous phase, and manually verify the identified web vulnerabilities and eliminate false positives.
Report identified web vulnerabilities including impact rating and recommended action to mitigation them.
Cloud4C will use a combination of automated and manual methods for identifying web related vulnerabilities and eliminating false positives. The following diagram summarize the phases of Web Application Assessment service:
To ensure successful and smooth execution of Web Application Assessment, certain information and preparation need to be in place as follow:
External Web Application Assessment:
The following IP address ranges needs to be allowed to scan the web application and exempted from web application firewall (if any).
Internal Web Application Assessment:
We need a Virtual Machine (VM) to install our security toolkit to collect and evaluate vulnerabilities data. The VM should have the following:
4 GB RAM, 100 GB Hard Drive space, and 2 core processor.
The VM should be allowed to access the web application in scope to perform the Web Application Assessment service. In addition, the VM should be accessible from the internet by Cloud4C team through VPN or remote desktop to facilitate remote management and execution of service. Further the VM should be allowed outbound communication with Remote Scanner IP address / Range of IP addresses.
An image will be provided to the customer by Cloud4C security team. The image needs to be deployed on the VM. As soon as the image is deployed, it will ask for a personalization code that will also be provided to the customer by Cloud4C team.
Upon completion of the Web Application Assessment, a detailed report is sent to the client including the following:
- Executive Summary: Summary of the purpose of this assessment, as well as brief explanation of the threats that the organization is exposed to from a business perspective.
- Findings: A detailed, technical explanation of the findings of the assessment along with steps and proofs of the findings.
- Conclusion & Recommendations: This section provides final recommendations and summary of the issues found during the security assessment.
Service delivery time
The Web Application Assessment service on about 5 Web Applications can be completed in three business days.