Web and API Penetration Testing

Modern web applications continue to be a challenge for organizations to secure as developers build increasingly complex business applications faster than ever.

Many organizations are releasing new or updated web applications multiple times per day, each containing multiple vulnerabilities on average. Often outnumbered by developers by 100:1, security teams are struggling to keep up, and most web applications are not assessed for security issues until it’s too late. Lack of application security skills and resources inhibit many organizations from adequately defending against cyberthreats.

At PTG we use a combination of the best commercial and open source penetration tests in order to provide Web Application Testing with high detection rates with minimal false positives, ensuring you understand the true cyber risks in your web applications.

Our Web Application Scanning service is not only able to scan traditional HTML web applications, but also supports dynamic web applications built using HTML5, JavaScript and AJAX frameworks, including Single Page Applications.

Many web applications implement authentication to control access to sensitive user data, which can inhibit the ability of vulnerability scanners to assess the application. Our Web Application Scanning supports a broad range of authentication options, such as form-based authentication, cookie-based authentication, NTLM support, and Selenium based authentication, to address most web application requirements.

We offer professional RESTful API pen testing as well as through OpenAPI (Swagger) specification files.

Optional manual test remediation review and official validation letter, issued by our engineering team, and certifying the validity of your fixes (vulnerabilities addressed, false positives confirmed, etc). 

Business and audit friendly reports are available instantly or upon request and provided in multiple formats (CSV, PDF, HTML).


What are the available pen test options?

The following tests can be run on an ad hoc basis or scheduled with a set schedule:

Config Audit
PCI DSS Audits (Internal or External)
SSL/TLS checks
Overview / Light Scan
Log4J and other popular vulnerabilities
Overview / Lightweight Scan
Comprehensive Scan
API (REST) testing
Authenticated or unauthenticated public scans
Credential Bruteforce
Content Security Policy
Cookies, Headers, Forms, Query Strings, JSON checks
URL lists or auto crawl
Custom RFI parameters
WAF testing and rule validation
SIEM efficiency testing 
Attack simulation tests

Meet your compliance requirements

External web application, web server, and web API penetration testing are mandatory requirements for most compliance frameworks (ISO 27001, SOC 2, PCI DSS, NIST, HITRUST, etc). Our service and reporting options will help you not only meet your compliance requirements and satisfy your auditing team, but provide you with an improved security posture benefiting your organization and your clients.

In addition having the right security services and a robust security posture will help you obtain better cyber insurance coverage and help you lower your insurance premiums.

Our services are compatible with all major cloud providers (AWS, GCP, Azure, Rackspace, Oracle, IBM, DigitalOcean) and can be used for internal and external PCI auditing.

PTG Blog

Get email alerts when we publish new blog articles!

more blog posts:

Cloud Security

MITRE ATT&CK Tactics

The Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions.

Read More
Compliance

HIPAA Security Rule summary

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI)

Read More