In addition to the Open Source Security Testing Methodology Manual (OSSTMM) and the Penetration Testing Execution Standard (PTES) Rapid7’s application penetration testing leverages the Open Web Application Security Project (OWASP), a comprehensive framework for assessing the security of web-based applications, as a foundation for our web application assessment methodology. Our web application pen tests simulate real-world attacks to provide a point-in-time assessment of vulnerabilities and threats to the customer’s application environment.
The post-assessment analysis presents logical groupings of one or more security issues with common causes and resolutions as a finding, which allows Rapid7 to quantify and prioritize the business risk to an organization. An actionable findings matrix can be used as an overarching workflow plan that can be tracked within the security organization. This plan is intended to assist the remediation team in prioritizing and tracking the remediation effort; consequently, each finding has been categorized according to its relative risk level and also contains a rating as to the amount of work and resources required in order to address the finding. Each finding also contains hyperlinked references to resources and provides detailed remediation information.
Our penetration testing methodology is as follows: