|
|
|
Rapid Assessment
A quick automated test of the top vulnerabilities done using automated technology. Recommended for smaller, less critical applications as well as for intermediate security check of larger, critical applications. |
|
Comprehensive Assessment
A detailed test which combines the automated testing of the Rapid Method along with the manual testing by security experts. Recommended for large, critical web applications involving dynamic business functions. |
|
|
| FEATURE COMPARISION |
|
| |
RAPID |
COMPREHENSIVE |
| Instant on-demand testing |
 |
|
| OWASP Top 10 & WASC 42 threat classes coverage |
|
|
| Security test of network infrastructure supporting the application |
|
|
| Automated false positive removal |
|
|
| Detailed report with remediation recommendations |
|
|
| Security expert manual analysis & complete false positive removal |
|
|
| Specialized Web 2.0 tests |
|
|
| Business logic vulnerability testing |
|
|
| Custom Tests |
|
|
| Root cause analysis |
|
|
|
| |
| REPORT COMPARISION |
|
| Test Process Model |
Fully Automated |
Rapid+Expert Verification |
Rapid
Our Rapid test is a fully automated test – including the exploitation stage. Comprehensive test is a blended process including automated test as well as manual expert validation. |
|
Comprehensive
Comprehensive test provides better coverage depth (false positive removal, false negative analysis) and breadth (business logic vulnerability testing) compared to Rapid. |
| False Positive Removal |
Partial |
100% |
Although Rapid test removes false positives the coverage cannot be 100% because it is a automated test. Comprehensive test provides 100% false positive removal because it is a combination of automated and expert validation.
In the screenshots below, Rapid shows 13 High level threats but the comprehensive report eliminated 2 false positives and indicated only 11 High level threats. |
|
Rapid Test Report
 |
|
Comprehensive Test Report
 |
| False Negative Check |
 |
|
False negatives are threats that are incorrectly identified as benign. Rapid test, being completely automated, doesn’t provide coverage for false negatives. Comprehensive test, during its expert validation phase, covers finding out threats that might have been missed out.
In the screenshots below, Rapid test shows only 15 other threats but the comprehensive report identified many false negatives and reported 23 other threats. |
|
Rapid Test Report
|
|
Comprehensive Test Report
|
| Proof of Exploitation |
|
|
Penetration testing goes beyond vulnerability assessment by exploiting the vulnerabilities found during a test. Exploitation provides the proof that the vulnerability can indeed impact your assets. It also gives you the impact of a breach.
Rapid test conducts automated exploitation and cannot provide visual proof of exploitation. In many cases, exploits have to be tweaked by an expert to make it successful and hence Rapid also provides partial exploitation coverage.
Comprehensive test provides greater exploitation coverage. The report also provides a screenshot of the exploited state of the application to help with impact assessment.
In the screenshot below, you can see that the “proof of exploitation” explains how a vulnerability was exploited. |
|
| Rapid |
|
Comprehensive
 |
| Business Logic Vulnerability Testing |
|
|
Business logic vulnerability testing is covered only in comprehensive test. Business logic vulnerabilities arise out of insecure coding practices. Many times a developer focuses on making a functionality work and ignores many ways it could be broken. A common example is the lack of input validation that could break a business process flow. The example below shows such an example where a bank’s fund transfer request takes negative amount value thereby crediting the attacker’s account instead of debiting it.
Screenshot of business logic vulnerability testing in comprehensive report: |
|
| Rapid |
|
Comprehensive
 |
|
| |
|
|
|
