Our goal is to deliver a personalized and relatively affordable web application security testing and vulnerability analysis to you. To make this process as customizable as possible, we have several plans to choose from. Which plan is practical for you, will depend largely on the scale of your website, and how thoroughly you want it tested.
In summary, the bronze plan is for small websites that are roughly the size of a blog, containing no more than roughly half a dozen server-side scripts.
The silver plan is for medium-sized websites, such as small platforms with minimal features, such as (for example) Craigslist.
The golden plan is for large websites, such as large trading platforms, e-commerce sites, or large social networks (think Reddit, Facebook, e.t.c)
And lastly, the platinum plan is if you want continuous and rigorous testing, perpetually. This may be the option to choose if your web application undergoes continuous change, or is critical enough that it must be continuously examined. This may also be the best option for you if you want the penetration testers who scrutinize your security to actively study your website specifically. Typically, our penetration testers will employ semi-automated tools to study your website. However, some vulnerabilities can only be discovered if the layout of the targeted website is studied specifically. This is also what a black-hat cracker would do; they would craft a bullet with your website's name on it. If you want the most rigorous security testing possible, the platinum plan is recommended.
Note that for the bronze, silver, and gold plans, this is based on the overall time it will take to complete the testing, and not just the size of your website. For example, if you have a very large web application that you want pentested, but you want a very small testing scope, we may be able to do this for cheaper, under the bronze plan. Similarly, if you have a small website but want very comprehensive testing, you may need a more expensive plan. If the auditor determines that the plan you have chosen is not the best for your project, he will discuss this with you.
Firstly, you decide on a plan. You will be emailed a form to fill out which will contain all relevant information, including thing such as what security vulnerabilities you want tested and what you do not want tested (pricing will vary accordingly), the duration of the test, e.t.c.
A quote will be generated, and, if you agree to it, the price will be established, to be charged after the test, analysis, and consultation is complete. We will also give you the option to discuss any unique needs of testing you want done. If you only need something small done, we can do it quickly and for a smaller cost.
Next, we verify that you do, in fact, own the web application that you are hiring us to test. There are many options for how we can verify this, including contacting your company directly, emailing an administrator whose email belongs to your domain, or asking you to upload a particular file to the root directory of your website. Once we have verified your authorization to test your web application, we will have you sign a contract and then begin testing.
The penetration tester assigned to your project will be in contact with you throughout the entire test. Once the test is done, a report will be generated, and our penetration tester will also talk to you directly, in case there is any other information that is too detailed for it to be adequately communicated in a formal report, or if you have any questions.
And then it's time for you to pay.
The final report includes both technical details of the penetration test, as well as a graphical summary so that it can be reviewed by non-technical persons, giving a general idea of the sense of security of the applications or hosts being tested. The technical detail includes a breakdown of which vulnerabilities were found, where they were found, as well as instructions for how one could exploit the insecurities, to demonstate a proof-of-concept. The report also includes instructions on how the vulnerabilities can be patched, with specific technical detail. You will also have the opportunity to discuss the findings in the free, post-testing consultation with the penetration tester who was assigned to your project. See the sample report for an example.
We will limit the scope of the testing to whatever you want done. However, we are able to check for the major and most common vulnerabilities. This includes XSS attacks, SQL injections, other forms of code injections (such as PHP and command-injection), directory traversals and insecure designs. We examine forms to see if pages appear vulnerable to cross-site request forgery or clickjacking. The server-side software can also be compared against all published CVEs. We examine the security of the implementation of access control, including assessing the security of cookies and session data and miscellaneous insecure designs. We can even brute-force login credentials to assess the quality of authentication security. Social engineering techniques (via email) can be employed to put insider knowledge and awareness to the test. There are also many types of security holes that are quite obscure - and so, if desired, our penetration testers can personally examine your website specifically and scrutinize it with a proverbial microscope, the way that a malicious, cunning, and determined attacker would.
It depends on a number of factors, depending primarily on the size of your applications, and the scope of the testing that you want done. It can take anywhere from a few days to a few weeks, depending on your specific needs, and on the design of your web applications. The penetration tester assigned to your project will be able to give you a more precise estimate after examining your project.
It depends on a number of factors. (Namely, the same factors that determine how long the penetration test will take.) The final cost will be calculated before the work begins, and the price will be sealed so that you can have an unambiguous and unchanging price to agree to, before the testing begins. Our penetration tester will communicate with you to give you a final price. If you opt for a bronze, silver, or gold plan, the price will be a one-time payment. However, if you opt for continuous testing (via the platinum plan) you will be charged every week, according to the time our penetration testers have spent on your project.
If your web application is secure and robust, nothing will likely break or be disrupted. If your web application is not secure or robust, there is a possibility that performing a penetration test may be disruptive. However, such risks are necessary in order to identify the source of the insecurity, so that it may be patched. Our penetration testers will work with you to conduct testing in a way that is as non-disruptive and non-invasive as possible, according to your specifications. E.g only testing during certain hours of the day (within reason), only testing certain pages in certain ways, contacting you to let you know if he is about to perform a potentially disruptive test and scheduling it with you, e.t.c. Every effort will be made to ensure the test is as non-disruptive as it can be.
All of our penetration testers are carefully examined before hiring, and while not all have technical certification, all testers have a relevant combination of education, experience, and/or certification. We understand that it is very important that the penetration tester assigned to your project has the requisite competency. But if for whatever reason you experience difficulty with the tester assigned to your project, we will assign you a new one upon request, no questions asked. If this happens, the secondary penetration tester will simply continue with where the previous one left off, ensuring a minimal delay.