Client-Side Application Security Testing
Client-Side Application Security Testing tests “thick” applications that are run and/or installed on an endpoint (workstation, server, etc.). It is typical to perform this in conjunction with Web Application Security Testing when the application is an “agent” running on the endpoint and interacting with a web service/API.
Testing involves automated and manual evaluations of one or more applications to ensure they provide protection against abuse of your data. We use industry standard tools to carry out automated scans looking for well-known vulnerabilities, and we also conduct manual testing to find vulnerabilities and attack vectors not otherwise detectable by automated tools.
More than a Vulnerability Assessment
This is more than a simple vulnerability assessment. We actively attempt to circumvent security controls by carrying out exploits that take advantage of discovered vulnerabilities, revealing what an adversary would be able to do. During testing, we look for any method that can violate the CIA Triad security model (confidentiality, integrity, availability).
- Confidentiality is limiting information to only the authorized person(s) who should have access to it.
- Integrity is ensuring data/communication at rest or in transit can only originate from, be sent to, or be modified by an authorized person(s).
- Availability is the ability for an authorized person(s) to access the resources when needed.
The purpose of testing is to enumerate your exposure (within the given time constraints), identify and verify as many vulnerabilities as possible, ensure the security of your application is strong, and then provide actionable solutions to help you protect against attack/compromise. For example, we use industry standard tools to scan for and verify well-known/unpatched vulnerabilities that allow an attacker to carry out remote code execution and privilege escalation, circumvent intended controls, gain access to sensitive data, etc. In most cases, we will leverage the discovered vulnerabilities to (1) verify it is exploitable and (2) determine the exposure, should it be breached.
The testing is largely centered around static code analysis, fuzzing, and manual analysis using our internal/proprietary methodologies.
View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.
Sample Pricing
- Micro: Plugins, extremely basic applications – $4,250
- Small: Single binary, basic/common functionality – $7,250
- Medium: Multiple binaries or intermediate functionality – $13,000
- Large: Multiple binaries, intermediate/advanced functionality, and unique – $20,000
- xLarge: Many binaries, advanced functionality, and unique – Varies
Add-On Services
In order to keep our testing prices low, we’ve removed certain services that not every client requests. Under our Cybersecurity Unlimited Retainer (included with all of our contracts) you can add on the following services as needed. Please reference the Cybersecurity Unlimited Retainer page for pricing details.