Web Application Security Testing.
OWASP-aligned testing of business logic, authentication flows, authorization boundaries and API surfaces - manual depth where it counts.
Three approaches. One uncompromising standard.
Choose the depth of engagement that matches your risk profile and reporting needs.
ASVS Level 1
Opportunistic-attack defence for public-facing apps. Suitable for low-risk applications or as a fast-turnaround pre-launch assurance step.
- Authentication & session hygiene
- Input validation & injection coverage
- Common misconfigurations
- Transport security & headers
ASVS Level 2
The default coverage tier for production applications handling sensitive data. Adds business-logic depth and authorisation testing on top of L1.
- L1 coverage in full
- Authorisation & RBAC boundary testing
- Business-logic flaw discovery
- API security - REST & GraphQL
- Authenticated & unauthenticated testing
ASVS Level 3
Designed for systems holding regulated data or operating critical infrastructure. Includes source-aware review and threat-modelling deliverables.
- L1 + L2 coverage
- Source-aware code review
- Threat-modelling workshop
- Cryptographic implementation review
- Supply-chain & dependency audit
The full surface - tested manually.
Four ways to scope this service.
External Web Application Test
Black-box assessment of your public-facing applications - think anonymous attacker on the internet.
- Unauthenticated attack surface
- Login & signup flow attacks
- Public API security review
Authenticated Application Test
In-app testing across the roles your customers, staff and admins use.
- Role-based access control
- Multi-tenant isolation
- Privilege-escalation paths
API Security Test (REST / GraphQL)
Deep testing of the API surface - the most common breach vector in modern web apps.
- REST & GraphQL coverage
- Rate-limit & quota bypass
- Schema introspection & abuse
SPA / Client-side Audit
Frontend-specific review for single-page applications - CSP, XSS, postMessage, storage hygiene.
- CSP & header audit
- Client-side storage review
- Dependency & bundle review
Six clearly-defined phases.
From scoping call to remediated environment - each step has a deliverable, a check-in and a documented owner.
Define Scope
Goals, asset inventory, RoE and success criteria.
Information Gathering
Recon, fingerprinting and threat modelling.
Identification
Vulnerability discovery and validation.
Attack & Penetration
Manual exploitation & chain analysis.
Reporting
Executive & technical deliverables.
Remediation Support
Fix guidance & debrief session.
Outcomes you can measure.
Standards alignment
OWASP ASVS & WSTG with full traceability.
Business-logic depth
Findings tools cannot catch.
Code-level fixes
Developer-ready remediation guidance.
Threat-model led
Tests guided by how attackers actually target apps.
Deliverables.
Executive summary
Board-ready overview - risk posture, business impact, recommended priorities.
Technical report
Every finding with reproduction steps, evidence, CVSS & business-impact scores.
Remediation tracker
Jira / Linear-ready issue list with severity, owner and acceptance criteria.
About web application security.
What about single-page apps and APIs?
Do you need source code?
Will testing affect production data?
How often should we test?
Do you cover mobile and desktop variants?
Let's scope your web application security.
A 30-minute call. A fixed quote within two business days.