Explore how attackers operate and their favorite tools and targets in our new SANS research. Get the Report ›
An Application Penetration Test assesses the security of your web application, API, or thick client against the same tools and techniques leveraged by attackers. Our team of highly experienced consultants will dive deep into the inner workings of applications uncovering vulnerabilities and logic flaws.
As a core part of our methodology, we follow the OWASP Testing Guide to test for the OWASP Top 10 vulnerabilities: injection, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration, cross-site scripting (XSS), insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring.
Application Penetration Testing highlights:
Our application penetration testing methodology identifies application security vulnerabilities by combining automated and manual testing techniques. Assessments begin by crawling and footprinting the application. Next, the assessment team conducts vulnerability scans with automated tools and manually validates the results. Finally, the team manually identifies and exploits implementation errors and business logic. Check out our complete application penetration testing methodology for more details on what to expect.
Wherever you fall on the spectrum of time-boxed to comprehensive testing, we always test for the OWASP Top 10 which includes: injection, broken authentication, sensitive data exposure, XML external entities (XXE), and more.
Our highly skilled, creative, and experienced consultants discover business logic and privilege escalation flaws that can only be found manually. We go beyond automated dynamic scans to ensure critical vulnerabilities don't fly under the radar.
In addition to validating the security of an application from a compliance perspective, application penetration tests can be used throughout an Agile or DevSecOps lifecycle to find and fix flaws before they get ‘inherited’ into production. We’ll find vulnerabilities in places you never thought to look.
We simulate a real-world attack on the apps and services most critical to your business. With an attacker perspective, you can demonstrate the true business impact of vulnerabilities while also prioritizing the most critical ways you can secure the app environment.
Pair with an Architecture Security Assessment (ASA) and our Threat Modeling service for an in-depth assessment of the threats your application faces. By discovering your app’s full attack surface area, you’ll be able to secure it against targeted attacks.
Our high-quality reporting goes above and beyond static risk ratings and generic scoreboards. In addition to being fully customized to your application, your organization, and your desired outcomes, our reports offer actionable security guidance.
Our consultants have decades of experience testing apps and rely on industry standard methodologies. We do this to ensure breadth of coverage and depth of testing.
“I wanted to choose a company with deep technical skills that clearly excelled at offensive security. I didn’t want to simply ‘check a box’ when it came to security.”
— Victor Vuillard, Chief Security Officer and Chief Technology Officer at Parrot
Application Security Practice Director
Kelly Albrink (CCNA CyberOps, GCIH, GSEC, OSCP, GWAPT, Sec+) is the Application Security Practice Director at Bishop Fox. In this role, she focuses on red teaming, application penetration testing, network penetration testing, and hardware (IoT) security.
Kelly has presented at a number of Bay Area events including Okta's inaugural security conference, Okta Rex, Day of Shecurity, and the DeadDrop San Francisco Meetup. She is a recipient of the SANS CyberTalent Immersion Academy scholarship, and is an active CTF participant. Kelly has competed in the NetWars Tournament of Champions, a national invite-only competition that admits only those who have placed highly in regional CTFs. In addition, she volunteers with her local hackerspace, Noisebridge, where she organizes Infosec Lab Nights and mentors aspiring penetration testers.
We'd love to chat about your offensive security needs. We can help you determine the best solutions for your organization and accelerate your journey to defending forward.