The benefits of agile testing
What we test
Examples of the types of vulnerabilities we look for and the areas we assess include:
- Authentication: weak/default credentials, flawed password reset mechanism, inappropriate password policy, inadequate protection against brute force attack, credentials exposed over HTTP, insecure password storage, user enumeration, etc.
- Session management: weak session cookie configuration, inappropriate timeout settings, flawed logout mechanism, session fixation, session token generated with insufficient entropy, etc.
- Authorization and access control: horizontal and vertical privilege escalation, client-side verification not enforced by server.
- Cross-site scripting (XSS): stored, reflected, DOM-based, etc.
- SQL injection
- Other injection vulnerabilities: OS command injection, NoSQL injection, LDAP injection, Expression Language injection, Server-side template injection, XPath injection, etc.
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Insecure file upload
- XML-related issues: XML external entities (XXE) attack, external DTD enabled, billion laughs attack, etc
- Unsafe deserialization: Java, PHP, .NET, etc.
- Business logic flaws
- Unnecessary information disclosure
It is impossible to exhaustively cover all possible security vulnerabilities that may affect an application. Consequently, the aim of our test methodology is to act as a baseline, with additional tests and checks being performed by the consultant as necessary.
Our approach to agile testing
Every business is different, and our agile testing methodology is designed to be flexible to fit in with your development practices. Our general approach would typically be as follows:
We work with you to fully understand your organisation, your goals, your development practices, the application in question and your desired outcomes.
2. Proposal & prerequisites
A proposal will be drawn up outlining the planned scope of work, a pre-agreed number of consultancy hours that will be made available and the preparations needed to start testing.
3. Resources on standby
Our security consultants will be made available to you at any time, when you need them.
When you need a part of your application testing, we will agree the number of hours to be spent, and then perform the testing immediately. In accordance with agile principles, adaptiveness here will be key to achieve the best results without too much “red tape” and paperwork.
Security issues will be flagged and reported as part of the testing activity. This can be in any format that suits your development team, be it over chat, ticket, email or otherwise.
Why choose us
Our agile testing is designed to support your security improvement efforts. It’s this support that truly sets us apart and our team is dedicated to reducing your cyber threat, to pass on our wealth of expertise and to provide you with the security assurances required.
Want to find out more about our agile testing service? Our team are on hand to provide you with the information and support you need. Please fill out the form below and one of our team will be in touch shortly.
Our latest research
Our Labs page is the place to discover our latest research, advisories, tool releases and challenges.
Looking to improve your security? Our insights are a great place to start.