SureCloud's certified test consultants provide three levels of web application security testing as follows:

• Application Health Checks
• Non-privileged Application Penetration Tests
• Privileged Application Penetration Tests

The Application Health Check service has been created to provide organisations with a cost-effective, risk-based approach to the testing of web applications. Applications are manually assessed for vulnerabilities in conjunction with SureCloud's proprietary web application vulnerability scanning technology - SureCloud AppScanner^TM. This approach to testing prioritises high risk and high visibility pages in order to identify critical vulnerabilities that could impact the confidentiality, integrity, or availability of web applications, whilst also providing maximum value for money for our customers. If an application warrants the need for further testing, we can advise on a case by case basis accordingly.

Full application penetration tests come in two forms - non-privileged and privileged testing. The non-privileged testing covers all publicly available content up to and including any login pages. The privileged test covers more in-depth tests in authenticated state, such as vertical and horizontal privilege escalations for example.

Web application penetration tests take into account the business logic within the application and SureCloud's consultants all have valuable industry experience in our target sectors (Financial Services, Government and Retail). All tests performed by SureCloud are based on SureCloud's own knowledge base and the current OWASP Top 10 (as referenced in the PCI DSS) and aim to cover the following areas:

• Cross-site scripting (XSS)
• Injection flaws (SQL injection, LDAP, Xpath etc.)
• Malicious file execution
• Insecure direct object references
• Cross-site request forgery (CSRF)
• Information leakage and improper error handling
• Broken authentication and session management
• Insecure cryptographic storage
• Insecure communications
• Failure to restrict URL access