Skip to main content

SWAT, Assure, Snapshot Testing differences

What does our application pen test cover?

Testing methodology between Outpost24 Assure, Snapshot & SWAT

WASC v2 ASSURE SNAPSHOT SWAT

Abuse of Functionality

chek service description chek service description chek service description

Brute Force

chek service description

When safe

When safe

Buffer Overflow

chek service description

Supported but not safe

Supported but not safe

Content Spoofing

chek service description chek service description chek service description

Credential / Session prediction

chek service description chek service description chek service description

Cross-Site Scripting

chek service description chek service description chek service description

Cross-Site Request Forgery

chek service description chek service description chek service description

Denial of Service

chek service description

Safe checks

Safe checks

FingerPrinting

chek service description chek service description chek service description

Format String

chek service description chek service description chek service description

HTTP Response Smuggling

chek service description chek service description chek service description

HTTP Response Splitting

chek service description chek service description chek service description

HTTP Request Smuggling

chek service description chek service description chek service description

HTTP Request Splitting

chek service description chek service description chek service description

Integer Overflow

chek service description

Supported but not safe

Supported but not safe

LDAP Injection

chek service description chek service description chek service description

Mail Command Injection

chek service description chek service description chek service description

Null Byte Injection

chek service description chek service description chek service description

OS Commanding

chek service description chek service description chek service description

Path Traversal

chek service description chek service description chek service description

Predictable Resource Location

Time 

chek service description chek service description

Remote File Inclusion

chek service description chek service description chek service description

Routing Detour

chek service description chek service description chek service description

Session Fixation

chek service description chek service description chek service description

SOAP Array Abuse

chek service description chek service description chek service description

Server Side Include Injection

chek service description chek service description chek service description

URL Redirector Abuse

chek service description chek service description chek service description

XPath Injection

chek service description chek service description chek service description

XML Attribute Blowup

chek service description chek service description chek service description

XML External Entities

chek service description chek service description chek service description

XML Entity Expansion

chek service description chek service description chek service description

XML Injection

chek service description chek service description chek service description

XQuery Injection

chek service description chek service description chek service description

Application Misconfiguration

chek service description chek service description chek service description

Directory Indexing

chek service description chek service description chek service description

Improper File-system Permissions

chek service description chek service description chek service description

Improper Input Handling

chek service description chek service description chek service description

Improper Output Handing

chek service description chek service description chek service description

Information Leakage

check service description check service description check service description

Insecure Indexing

chek service description chek service description chek service description

Insufficient Anti-Automation

chek service description chek service description chek service description

Insufficient Authentication

chek service description chek service description chek service description

Insufficient Authorization

chek service description chek service description chek service description

Insufficient Password Recovery

chek service description chek service description chek service description

Insufficient Process Validation

chek service description chek service description chek service description

Insufficient Session Expiration

chek service description chek service description chek service description

Insufficient Transport Layer Protection

chek service description chek service description chek service description

Server Misconfiguration

chek service description chek service description chek service description

Business Logic Flaws

chek service description chek service description chek service description

Framework Vulnerability

chek service description chek service description

chek service description

WASC v2 is a list of standardized vulnerability classifications from The Web Application Security Consortium (http://projects.webappsec.org/w/page/13246978/Threat%20Classification)

OWASP TOP 10 2013 ASSURE SNAPSHOT SWAT

A1-Injection

chek service description chek service description chek service description

A2-Broken Authentication and Session Management

chek service description chek service description chek service description

A3-Cross-Site Scripting (XSS)

chek service description chek service description chek service description

A4-Insecure Direct Object References

chek service description chek service description chek service description

A5-Security Misconfiguration

chek service description chek service description chek service description

A6-Sensitive Data Exposure

chek service description chek service description chek service description

A7-Missing Function Level Access Control

Time

chek service description chek service description

A8-Cross-Site Request Forgery (CSRF)

Time

chek service description chek service description

A9-Using Components with Known Vulnerabilities

chek service description chek service description chek service description

A10-Unvalidated Redirects and Forwards

chek service description chek service description chek service description

OWASP (Open Web Application Security Project) TOP 10 is a collection of the most commonly found and reported vulnerabilities in current web applications. It uses groupings of findings into families, and hence it is common that “OWASP COMPLETE” offerings address only subsets of the different threat families.

Outpost24 test OWASP top 10 2017 as well as 2013 where relevant.

Common Vulnerabilities ASSURE SNAPSHOT SWAT

Cross Site Scripting – Reflected

chek service description chek service description chek service description

Cross Site Scripting – Persistent

chek service description chek service description chek service description

Cross Site Scripting – DOM-based

chek service description chek service description chek service description

HTTP Header Injection

chek service description chek service description chek service description

SQL Injection – Error based

chek service description chek service description chek service description

SQL Injection – Differentials based

chek service description chek service description chek service description

SQL Injection – Time Based

chek service description chek service description chek service description

Application Logic tested

Time

chek service description chek service description

Password lockout tested

chek service description chek service description chek service description

Session randomness tested

Time chek service description chek service description

Horizontal escalation testing

Time chek service description chek service description

Vertical escalation testing

Time chek service description chek service description

Insecure Direct Object Reference

Time chek service description chek service description

Web Server vulnerabilities

chek service description chek service description chek service description

Local File Inclusion

chek service description chek service description chek service description

Remote File Inclusion

chek service description chek service description chek service description

Use of weak encryption

chek service description chek service description chek service description

Use of weak standard modules

chek service description chek service description chek service description

Common vulnerabilities is a selection of common threats as they are mentioned in writing and in practice between security specialists, and the different methods of addressing them and those methods limitations. Tools are viewed from their ability to maintain a good coverage, there may exist singular tests with low applicability, to manage to achieve a checkbox for applications, which should not be confused with actually supporting a family of vulnerabilities.

Monitoring and coverage ASSURE SNAPSHOT SWAT

Zero Touch Configuration

chek service description chek service description chek service description

Maximum links

Time Unlimited Unlimited

Continuous detection

chek service description chek service description chek service description

Test new deployed content

chek service description Remediation only chek service description

Detect changed credentials

chek service description chek service description chek service description

Time available for a test

3 days 30 days Continuous

Smart form testing

chek service description chek service description chek service description

Monitoring and coverage is the effort required to get a security review performed against an application, its ability to detect change to that application over time, and its support for learning to understand and work with a dynamic application. It is clear that the penetration test while in depth on coverage is very limited in its ability to support the organization with remediation or maintained security levels over time.

Verification and guidance ASSURE SNAPSHOT SWAT

False positives removed

chek service description chek service description chek service description

Proof of exploitability provided

chek service description chek service description chek service description

Vulnerability rating put in context

chek service description chek service description chek service description

Context Aware CVSS scoring

chek service description chek service description chek service description

Unlimited re-testing and verifications

30 days 30 days chek service description

Ask experts for advice on remediation

30 days 30 days chek service description

Smart vulnerability grouping

chek service description chek service description chek service description

Verification and guidance relates to how much effort and what degree of expert competence an organization need to maintain internally to be able to use and benefit from a solution over time. Web application security is a niche competence, and often is expensive to maintain and hone within an organization.
Vulnerability grouping is important to ensure that root cause analysis is performed to avoid high workload to address what in essence is a single root problem.

Production safety ASSURE SNAPSHOT SWAT

Production safe testing

Medium High High

Low traffic and database intensity

Medium Medium Low

Submits forms only when safe

chek service description chek service description chek service description

Prevents dangerous link use

chek service description chek service description chek service description

Production Safety relates to the risk that a scanner or test affect the test object. Often the penetration test is also not production safe, but it can be on specific request, and hence it has been evaluated with this considered a key priority for the client.
Production safety is key for business critical applications, any customer facing applications or any applications where data integrity is of importance.

Support ASSURE SNAPSHOT SWAT

Onboarding call

chek service description chek service description chek service description

Vulnerability discussions

chek service description chek service description chek service description

Verification and remediation support

chek service description chek service description chek service description

Professional support directly in tolls

chek service description chek service description chek service description

Access to security specialists

30 days 30 days Unlimited

Support is important to ensure that you have full value from a solution and can work quickly to resolve both findings and technical problems.
Most applications are delivered with a limited support, mainly focused on pure tool support such as license questions and usage. Penetration testing usually carry an excellent support during the test itself, but come without long term commitments from the partner as this is a one of engagement where the business transaction and relationship ends with the delivery of the report.
Sometimes penetration testers offer a re-test to verify that problems are resolved, but it is a one off engagement also in this case, meaning ongoing verifications as you remediate is not available, and in case a problem is not solved, having one more verification later can be a challenge.

Legend

Fulfilled

chek service description

Partially fulfilled

/

Not fulfilled

chek service description

Looking for anything in particular?

Type your search word here