Web and API Penetration Testing

Modern web applications continue to be a challenge for organizations to secure as developers build increasingly complex business applications faster than ever.

Many organizations are releasing new or updated web applications multiple times per day, each containing multiple vulnerabilities on average. Often outnumbered by developers by 100:1, security teams are struggling to keep up, and most web applications are not assessed for security issues until it’s too late. Lack of application security skills and resources inhibit many organizations from adequately defending against cyberthreats.

At PTG we use a combination of the best commercial and open source penetration tests in order to provide Web Application Testing with high detection rates with minimal false positives, ensuring you understand the true cyber risks in your web applications.

Our Web Application Scanning service is not only able to scan traditional HTML web applications, but also supports dynamic web applications built using HTML5, JavaScript and AJAX frameworks, including Single Page Applications.

Many web applications implement authentication to control access to sensitive user data, which can inhibit the ability of vulnerability scanners to assess the application. Our Web Application Scanning supports a broad range of authentication options, such as form-based authentication, cookie-based authentication, NTLM support, and Selenium based authentication, to address most web application requirements.

We offer professional RESTful API pen testing as well as through OpenAPI (Swagger) specification files.

Optional manual test remediation review and official validation letter, issued by our engineering team, and certifying the validity of your fixes (vulnerabilities addressed, false positives confirmed, etc). 

Business and audit friendly reports are available instantly or upon request and provided in multiple formats (CSV, PDF, HTML).


What are the available pen test options?

The following tests can be run on an ad hoc basis or scheduled with a set schedule:

Config Audit
PCI DSS Audits (Internal or External)
SSL/TLS checks
Overview / Light Scan
Log4J and other popular vulnerabilities
Overview / Lightweight Scan
Comprehensive Scan
API (REST) testing
Authenticated or unauthenticated public scans
Credential Bruteforce
Content Security Policy
Cookies, Headers, Forms, Query Strings, JSON checks
URL lists or auto crawl
Custom RFI parameters
WAF testing and rule validation
SIEM efficiency testing 
Attack simulation tests

Meet your compliance requirements

External web application, web server, and web API penetration testing are mandatory requirements for most compliance frameworks (ISO 27001, SOC 2, PCI DSS, NIST, HITRUST, etc). Our service and reporting options will help you not only meet your compliance requirements and satisfy your auditing team, but provide you with an improved security posture benefiting your organization and your clients.

In addition having the right security services and a robust security posture will help you obtain better cyber insurance coverage and help you lower your insurance premiums.

Our services are compatible with all major cloud providers (AWS, GCP, Azure, Rackspace, Oracle, IBM, DigitalOcean) and can be used for internal and external PCI auditing.

PTG Blog

Get email alerts when we publish new blog articles!

more blog posts:

Cloud Security

AWS: Shared Responsibility and Risk Model

Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Read More
Prodigy 13 - Zero Trust Cybersecurity
Cybersecurity

Threat Hunting Myths

Threat hunting is the human-driven, proactive and iterative search through networks, endpoints, or datasets in order to detect malicious, suspicious, or risky activities that have evaded detection by existing automated tools.

Read More