One of our core services offered to our clients is Assurance testing. Similar to
that of Penetration testing without the pitfalls of penetration testing,
assurance services provides a level or "risk" and "maturity" of the application
security features. When talking with clients over many years, our team
determined that although "penetration testing" was a commonly used service, our
clients really just wanted to understand the following.
- Does my application have vulnerabilities that can be exploited?
- How hard is it for someone to exploit the vulnerability?
- What can they get access to? Whats the impact of the vulnerability?
- How do i compare against my competitor's and industry standards?
- Is the application secure?
In general, penetration testing can answer most but not all of the above
questions. As penetration testing is focused on depth (finding exploits), it's
difficult to gauge the overall security of the application. So, Penetration
testing is capable of answering the first 3 questions. The most difficult
question to answer is (5) Is my application secure?. The only way to determine
this, is by having a detailed methodology that ensures complete "coverage"
across the application and not just common weaknesses in the system. Typically,
Appsecure teams find on average 30% more vulnerabilities than previous tests
performed, due to the coverage our Assurance testing has against Penetration
Assurance testing programs have been designed by Appsecure, to answer all of the
above questions. In most cases, the time, effort and cost associated with using
assurance testing over penetration testing is minimal. When conducting Assurance
testing, a detailed methodology is used and a great coverage across the
application, design, security controls and environment is reviewed. All the
common penetration tests are completed, as you would receive in a Penetration
Our test teams and internal database of assessments, provides us with a detailed
knowledge of comparing assessments against other industry related applications.
This helps us to work with our clients on a basic weigthing system, to provide
advice on the "industry norm". This is important for any business, ensuring that
not only do they adhere to industry standards, but also are keeping up with
their competitors. Our industry baselines are placed into categories and
measured in averages, clients data is never released or shared. However, it
helps to formulate industry averages that in general allow all our clients to
measure on their own projects.
Although similar to that of the testing approach for Penetration Testing the following key differences exist
- All Penetration testing methodology performed (test cases)
- Analysis of the Hosting environment/infrastructure platform from an application
point of view
- Third party intergation and review of interconnecting data streams
- Review of ACL/Access control rules
- Understanding and high-level review of architecture design and database
connectivity (where available)
- Review of Business logic security control design
- Maturity baseline against similar applications and business units
- Configuration environment (review where possible of implementation)
- Further in-depth analysis across the application components/feature sets
To understand more about Assurance testing, talk with one of our team members