Data sheet

Ethical Hacking
Web Application Testing

Our Approach
We have developed our own standardized methodology for
carrying out Ethical Hacking vulnerability assessments for
web applications.
Our methodology is based on industry standards, such as the
OWASP Testing Guide (OWASP Top 10) and ISSAF, along
with our own checklists, many years of experience, client
requirement documents, our own best practices and other
well-known references in publicly available resources, such
as, forums, technology bulletins, bug navigators and vendor
knowledge bases, hacker communities, internet, etc.
The first step is to determine the scope of your testing
requirement. Depending on your preference we can perform
an interview or share our questionnaire with you. Based on
the answers, we may issue an Ethical Hacking agreement
together with a Statement of Work which describes the scope,
deliverables, pre-requisites and associated pricing.
After approval from you, we start the Ethical Hacking
vulnerability assessment. During the vulnerability assessment,
you will be notified via a status update report about the
progress. After the actual testing has been performed, we will
issue a preliminary report. Within 10 days, we will present all
identified vulnerabilities in a final report. Once we have issued
the final report to you, you have 10 days to review and
request any changes. Any requested changes will be
discussed. Upon agreement, the final report will be updated
and re-issued. If no changes are requested during this
timeframe, the report shall be considered final and the project
completed.

The reporting of identified vulnerabilities and

recommendations (status updates and final report) is based
on our Ethical Hacking Center of Excellence's (ECHoE) own
process and templates. In order to guarantee high quality
output, all deliverables go through a peer and document
quality review.

Vulnerability Assessment
During the application testing, our EHCoE consultants will
examine the security controls being provided by the web
application.
Some of the aspects covered and their objective as a part of
this type of vulnerability assessment include:

Our EHCoE consultants will pose as an unauthenticated

attacker targeting the application being assessed. The
integrity of the web application and the strength of the
authentication mechanism as well as any other
vulnerability associated with the application will be
reviewed. Then, posing as an authorised user with
access to the web application, our EHCoE consultants
will attempt to exceed the intended privileges and
authority. The purpose of this is to verify the
authentication and session management mechanisms

In addition, our EHCoE consultants will investigate the

application entry points, fingerprint application and
architecture, enumerate admin interfaces

Our EHCoE consultants will investigate whether any

unnecessary information is entrusted in the client
software, or if the client software can be manipulated in a
way that provides unauthorized access to features of the
remote server application

For assessing web-based and custom client/server

applications with client-side software components, our
EHCoE has developed a custom process. These clientside components may consist of a Java applet or ActiveX
control that operate within a web browser, standalone
Java applets or standalone executable applications. This
testing measures the security integrated into the client
software components and reviews how the client
software interacts with the remote server application
The purpose is also to attempt to collect as much
information as possible about the client application and
server communication and to manipulate the client
software without having inside knowledge of how the
components operate

All information about the client software is gathered by

observation or through reverse engineering, where
permitted and applicable

Proper use of encryption and certificate authorities as

well as possible flows of sensitive data sent through
unencrypted channels are performed dissecting the
client-server communications and inquiring into data sent
through the network

During the whole duration of the test, the application

functionality will be also investigated, as well as testing
application logic bypass and looking for business logic
flaws

Before we will start the actual testing, your technical team will
be consulted to ensure testing can continue without impacting
operations. Both commercial tools and EHCoE internally
developed tools and scripts are used during the testing. After
scanning for the vulnerabilities, a manual verification of
identified vulnerabilities will be performed to eliminate false
positives.

A listing of all identified vulnerabilities of your web

application environment with a ranking of their level of
risk, the ease with which they can be exploited, and
mitigating factors

An explanation of how to mitigate or eliminate the

vulnerabilities including enhancement of your policies,
adoption of industry best practices, changes to security
processes and enhancement to the web application
architecture

Within 10 days after the conclusion of testing, we will present

all identified vulnerabilities to you in a final report.

Why BT
Put your Ethical Hacking need into expert hands. We are one
of the worlds leading and most trusted security brands,
derived from a set of credentials that have been earned over
decades of experience in the field:

Our global EHCoE with more than 20 years experience

combines the vast knowledge and experience of our
consultants with proven methodologies

Being a network operator, we have specific and in-depth

knowledge of network infrastructure devices and as a
large company we use many server and workstation
platforms, mobile devices as well as all kinds of
applications. These are thoroughly tested by our EHCoE
before being deployed on our network infrastructure, on
which many international customers rely

Our highly skilled consultants hold industry recognised

certifications

We are accredited for performing our professional

services on a global scale by Lloyd's Register Quality
Assurance for the ISO9001:2008 quality management
system

Holding the ISO9001 certification since July 23th 2003

shows our long term commitment to continuously improve
the quality of our services. Other relevant certification
programs are CESG CHECK and the following CREST
schemes: Penetration Testing and Simulated Target
Attack & Response (STAR)

We are one of the largest security and business

continuity practices in the world, with more than 2000
security consultants and professionals globally that have
been offering security and business continuity expertise
to our customers for many years

We are one of only a few organisations providing

integrated network and security solutions both
commercially and technically

Optional Penetration Testing

After we finish the vulnerability assessment activities, we may,
on your request, attempt to exploit the identified
vulnerabilities. The ultimate goal for this step is to
demonstrate the consequences of vulnerabilities if exploited
by an attacker. This type of testing should not be performed in
a production or live environment but in a product acceptance
environment.

The results
During the testing, we will immediately report any critical
and/or high risk vulnerabilities identified via a status updates
report. When the testing has been completed, you will receive
a formal report that will contain:

A detailed explanation of the testing activities that have

been completed and the methods used by us to
determine the results

BT Assure

Security that matters

Offices worldwide
The services described in this publication are subject to availability
and may be modified from time to time. Services and equipment are
provided subject to British Telecommunication plcs respective
standard conditions of contract. Nothing in this publication forms any
part of any contract.
British Telecommunication plc 2014
Registered office: 81 Newgate Street, London EC1A 7AJ
Registered in England No: 1800000
bt.com/btassure/ethical-hacking