What is PCI Web Application Penetration Testing?
PCI DSS Requirement 6.5 specifies that organisations must "Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes."
PCI DSS Requirement 11.3 specifies that organisations must "Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment)."
Requirement 11.3.2 specifies the requirement for application penetration tests.
PCI web application penetration testing and is typically used by clients who need to assure that web applications in the cardholder data environment are implemented with appropriate security controls.
The objective of a PCI web application penetration test is to uncover vulnerabilities in the application which may allow an adversary to perform malicious activity. Web application penetration tests are generally conducted remotely.
Overview of our service
Our first activity in the web application penetration testing process is to establish the specific threats which each application must be able to defend against. Having completed this step, we then we test to find weaknesses which may make these threats exploitable. As part of this service, we also benchmark the web application against the globally accepted security standards. See Web Application Security Certification.
Our penetration test focuses on the goals of the adversary - what does he want to achieve?
After studying the application, the Test Engineer prepares a threat profile and agrees it with the client. The threat profile drives the test plan, which maps each threat in the threat profile to specific pages on the site.
Once the test plan is prepared and agreed by a Test Team Leader, the testing begins. The tests are a combination of manual and automated checks. When an attack succeeds, we capture the screenshots of the attack. Our final report walks through the attack with the aid of these screenshots.
Within the report, the final results are clearly benchmarked against OWASP Top 10 (for PCI DSS), The Plynt Certification Criteria (Web Security Assurance Programme) or the client's internal security standards.
Our engineers test applications written to a wide range of platforms from J2EE to .Net, and from Mobile applications to Mainframe applications.
Key service attributes
Our PCI web application penetration testing and certification service has received multiple industry awards. Key attributes of the service are:
- Comprehensive threat profiling provides clarity of your real security risks
- Measurement and certification against global standards provides credible security benchmarking
- Zero false positive findings - human intelligence is used to verify each finding, allowing you to effectively focus on fixing the real issues
- Highly mature testing process provides exhaustiveness and consistency
- Reporting is detailed and transparent, showing exactly what has and hasn’t been tested
- Web Application Security Certification programme provides evidence of strong web application security controls
What you receive
The results of the tests are presented logically and clearly and are provided through an online secure portal (also downloadable as a PDF). The test report includes the following details:
- Executive summary
- Regulation compliance
- Vulnerability graph
- Detailed vulnerabilities
- Detailed steps
- Solution
- Further reading
- Unconfirmed vulnerabilities
- Detailed steps
- Solution
- Further reading
- Observations
- Test plan
- Interpreting risk ratings
- Mitigation tracker
- Plynt Certification Criteria compliance
- The OWASP Top 10
- PCI DSS Compliance
- Secure Coding Guidelines
The reports provide a view of the findings ranked by risk level, helping you prioritise on the areas of greatest risk. Clear guidance and concise solutions are included to help you quickly eliminate all vulnerabilities found.
What to do next
Contact us on 0844 488 0963, email us at info@securityalliance.co.uk or complete our Enquiry Form to discuss requirements, get an online demonstration, request a sample report or arrange a meeting.