Websites typically use web servers, web applications, and databases. Security gateways such as packet filters and web application firewalls are common protection mechanisms for web presences, but they do not provide complete protection. They can be compromised by misconfiguration or new attack methods. In addition, they are often configured generically and can overlook the specific security needs of individual applications. Therefore, it is critical to make the web application itself as secure as possible to ensure a robust defense against potential attacks.
Advantages of a web check
Cost-effectiveness: Compared to more extensive testing that involves, for example, source code and background systems analysis, penetration testing for web applications is less expensive and still provides important security insights. Costs typically range from €3000 to €7000, a fraction of the cost of a real attack.
Scalability: As your organization grows and potentially develops more web applications, the fundamental findings from initial web application testing can be used to more efficiently secure new applications from the start.
Low impact on business operations: Web checks are typically non-invasive and can often be performed without significant disruption to day-to-day operations, making them a practical first step.
What does a web check include?
When conducting a web check, we focus on the web application and not on the upstream security gateway, since a test with an active security gateway provides less clear results about the security of the web application itself.
Before the actual test, a preliminary meeting is held to clarify all relevant technical details and general conditions. It is also discussed whether the web application will be hosted internally or by an external service provider.
During the test, it is important that a qualified contact person is continuously available. This allows queries to be clarified promptly and potential security risks to be closed immediately. Although the tests are fundamentally non-destructive, system failures or even data loss can occur as a result of misconfigurations or discovered vulnerabilities. It is therefore important that up-to-date data backups are available and that the affected customers or employees are informed about the tests in advance. Under certain conditions, a test system can be used as an alternative.
What do I get in the result?
Upon completion of the IS Web Check, a comprehensive report will be prepared containing all relevant findings and results. This report is made available to the parties involved and all information contained in it is treated as strictly confidential.
The report categorizes the vulnerabilities found according to their criticality and explains the risks with examples. In addition, the report provides recommendations for general and specific security measures to address the identified vulnerabilities.
As proof that you have conducted a web check, you can receive a test mark. This shows your stakeholders that you take the security of your website seriously.
A web check is a snapshot and should be repeated at least at regular intervals, or at the latest after fundamental changes to the components, to ensure sustainable security. Penetration tests such as webchecks can therefore never provide a complete guarantee of uncovering all vulnerabilities. However, they do significantly increase the security level of your applications and systems.
Building on the web check, additional test methods such as in-depth penetration tests including code analysis and background system testing are recommended.