We will assess the security of the designated web applications, including the front-end, back-end, and underlying hosting architecture.  Our approach to web application penetration testing is modeled around the Open Web Application Security Project (OWASP) testing methodology and therefore follows the current OWASP recommendations and best-practices. We built our proprietary testing methodology specifically around the OWASP testing guide as it is the definitive resource for web application penetration tests.  Using this approach allows us to be creative in our approach while staying within a secure and proven framework.

We use a balanced methodology of both code review and penetration testing.  Generally, we mirror the site we are testing with a web spider that downloads all the pages and front-end code to make a local copy.  We perform an initial review of any included JavaScript, framework-specific generated code, third-party plugins, and any other dynamically generated DOM/HTML. The team then uses the results to identify possible issues and attack scenarios that would best fit the web applications


Once an engagement is concluded, EAM Solutions Group will provide several types of reports and recommendations to our client’s based on the level assessment.  The two reports are a detailed report and executive summary report.


From the detailed technical report, VET-Cyber teams will create an Executive Summary report for the non-technical audience.  This report gives a high-level overview of the methodology used and includes numerous summaries and graphical representations describing the findings.  This allows quick and easy access to the assessment results at any time.  The summary report does not include remediation instructions, nor does it include any raw scan results.


Findings Meeting and Project Closure

After the completion of all testing, EAM Solutions Group  VET-Cyber will conduct a findings meeting to present the findings and explain in detail to the customer.  Senior management personnel will have the ability to ask any questions and make requests for changes to the final report, such as clarifying a finding or presenting the information in a slightly different way.