One-day Application Security Assessment
Meristem will spend a single day testing a website or application for the most common application security flaws, simulating a lightly motivated attacker looking for an easy target. This level of test should not satisfy external requirements for a penetration test, but will identify critical control gaps and should give application owners some peace of mind. Meristem will also identify features of the application that commonly contain security flaws and provide points to consider when securing these features.
Standard Application Security Assessment
An examination of the security controls in place for a website or application based on Level 2 of OWASP’s Application Security Verification Standard (ASVS) with additional checks based on current application security threats and Meristem’s industry expertise. This level of test satisfies most requirements for an application penetration test, including PCI DSS requirements.
Application Security Assessment with Source Code Review
Meristem will perform a Standard Application Security Assessment based on Level 2 of OWASP’s Application Security Verification Standard, with the same additional checks, and will also review the source code for the application for common errors or implementation mistakes. With this additional access, Meristem is able to be more confident in the results and in many cases definitely state that an application does not contain specific vulnerability types. Source code review enables Meristem to efficiently identify corner cases in application logic, validation routines, and data handling practices that are difficult to find during the limited timeframe of a standard assessment, but could be discovered by an attacker through chance or persistent effort.
Enhanced Application Security Assessment
An examination of the security controls in place for an application based on Level 3 of OWASP’s Application Security Verification Standard with additional checks based on current application security threats and Meristem’s industry expertise. This additional level of examination is appropriate for highly sensitive applications that must withstand significant scrutiny by both users and attackers. The assessment requires access to the application source code and interviews with application architects and developers.
Security Design Review
A security design review is similar to a tabletop penetration test. Meristem will conduct a short series of meetings with those who know your application best (typically architects, lead developers, product owners) to identify the key components, data flows, assets, and threat actors. Based on that view, the group will identify the controls needed on each data flow to adequately protect the assets, and identify potential control gaps. This review can be done on an existing application, or ideally, when an application is just completing the design phase.