What is OWASP penetration testing?
OWASP pen testing is the assessment of web applications to identify vulnerabilities outlined in the OWASP Top Ten. An OWASP pen test is designed to identify, safely exploit and help address these vulnerabilities so that risks can be mitigated before they are exploited by adversaries.
What are the benefits of OWASP pen testing?
An OWASP penetration test offers several significant benefits for organisations, particularly those that develop web applications in-house and/or use specialist apps developed by third parties.
Pen testing helps organisations by:
- Identifying and addressing vulnerabilities before they can be maliciously exploited
- Reducing the risk of damage and disruption
- Providing an independent overview of the effectiveness of security controls and better assurance for PCI DSS, ISO 27001 and GDPR compliance
- Helping to improve security practices across the software development lifecycle
- Supporting more informed decision-making around future security investments
When should you conduct an OWASP pen test?
All organisations are advised to conduct a penetration test at least once a year. However, this should be done more frequently for organisations developing web applications, when releasing major software updates or making significant changes to infrastructure. Regular penetration testing is required for compliance with regulations with the PCI DSS and ISO 27001, and strongly advised in the GDPR, DPA and NIS Directive.
What vulnerabilities does an OWASP pen test identify?
An OWASP security pentest can help to identify key vulnerabilities such as those listed in the OWASP Top Ten:
- Broken access control
- Cryptographic failures
- Injection flaws
- Insecure design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures
- Server-side request forgery
For more information about each one of these vulnerabilities, view our guide to the OWASP Top Ten Web Application Security Risks.
Who performs OWASP pen tests?
OWASP pentests are conducted by certified ethical hackers with specialist knowledge of the latest web application development techniques and the latest security threats. Web application penetration testing qualifications vary but common ones include CREST CRT and CCT APP, OCP, CEH and QSTM.
How long does an OWASP pen test take?
The time it takes an ethical hacker to complete an OWASP pentest depends on the scope of the test, which will be determined prior to any engagement. Scoping an assessment requires information such as:
- Type of application
- Brief overview of the key functionality
- Number of user roles
- If the app uses a REST API backend and the number of API endpoints
- Screenshots
- Network size
- If the test is internal or external facing
- Whether network information and user credentials are shared prior to the pentesting engagement.
Why use Kroll for OWASP pen testing?
Kroll conducts over 100,000 hours of security testing every year, so you can be confident in our ability to develop a testing program best suited to the needs of your business.
Kroll’s OWASP penetration testing service can be commissioned to assess both proprietary web applications developed in-house as well as those from third party vendors. Our ethical hackers comprehensively test for web application vulnerabilities, including those listed in the OWASP Top 10, and provide the support to help address them quickly and effectively.
Our OWASP pen testing engagements are conducted to the highest legal, ethical and technical standards and follow best practice in key areas such as preparation & scoping, assignment execution, post technical delivery and data protection.
At the end of each OWASP pen test, we provide a detailed report outlining the level of risks posed and the remediation advice required to help address them quickly and effectively.