logo-unlock-security

Web Security

We run attack simulations to test the security of your web app and provide you with a detailed report on the vulnerabilities that must be fixed.

Web Security Service
Web Security Service

Identification and proactive remediation of vulnerabilities

Our Web Security service identifies any weaknesses and vulnerabilities resulting from insecure coding. By choosing it, you will obtain an in-depth and exhaustive report on the threats to which your applications, portals and web services are exposed, along with a comprehensive remediation plan.

Application logic
We thoroughly study the application to understand its functioning and to determine the critical points on which we should focus our attention.
Vulnerability research
We run an in-depth analysis to locate any potential access points through the detected weaknesses.
Exploitation
We exploit the vulnerabilities identified in the previous phases to gain access to systems, services, applications or data.
Post exploitation
We assess the strategic value of the compromised assets to correctly estimate the real impact of the vulnerabilities on your business.
Standards applied in our Web Security service

We follow the main industry standards

Our Web Security service is delivered by our team of cybersecurity experts, strictly in compliance with the main industry standards and guidelines, including:

OSSTMM (Open Source Security Testing Methodology Manual)
NIST Cybersecurity Framework
OWASP WSTG (Web Security Testing Guide)
OWASP API Security Top 10
OWASP Top 10 Web Application Security Risks
Standards applied in our Web Security service
Data protection
We pay close attention to data security in terms of confidentiality, integrity and availability.
Calculation of the impacts
The impact of each uncovered vulnerability is calculated based on the CVSSv3.1 standard.
Collaborative testing platform

We perform our tests in a collaborative way

All the ethical hackers engaged in an activity share their results in real time on an our online platform with supervised and restricted access. An easy solution that grants many benefits.

Maximum coverage
The cooperation among our ethical hackers maximizes the test coverage to prevent spending time on what has already been tested.
Quality, always
Project leaders can check all the time that the testing process respects the quality standards set by Unlock Security.
99% testing, 1% reporting
Automatizing the report issuance allows our testers to make full use of the time at their disposal for testing.

What we secure

Websites
Showcase and institutional websites, landing pages and e-commerce
Web applications
Custom or CMS-based applications
Cloud portals
Wherever your application is located
ERPs
We perform our analysis based on the application context

La nostra offerta

Ecco tutto ciò che ti offriamo con il servizio Web Security.

Ethical Hacker qualificati e certificati per la ricerca di vulnerabilità

Image link
Professional Penetration Tester
Professional Penetration Tester
È una certificazione di Ethical Hacking e Penetration Testing sulle tecniche di attacco contro reti, sistemi operativi e applicazioni.
Mobile Application Penetration Tester
Mobile Application Penetration Tester
È una certificazione che viene rilasciata agli esperti di cyber security che dimostrano una conoscenza avanzata della sicurezza delle applicazioni mobile.
Web Application Penetration Tester
Web Application Penetration Tester
È una certificazione che valuta le competenze dei professionisti di sicurezza informatica in materia di penetration test delle applicazioni web.
Formazione continua
Unlock Security investe continuamente nella formazione del personale per garantire un aggiornamento costante sui principali temi di cyber security.
Professional Penetration Tester
Professional Penetration Tester
È una certificazione di Ethical Hacking e Penetration Testing sulle tecniche di attacco contro reti, sistemi operativi e applicazioni.
Mobile Application Penetration Tester
Mobile Application Penetration Tester
È una certificazione che viene rilasciata agli esperti di cyber security che dimostrano una conoscenza avanzata della sicurezza delle applicazioni mobile.
Web Application Penetration Tester
Web Application Penetration Tester
È una certificazione che valuta le competenze dei professionisti di sicurezza informatica in materia di penetration test delle applicazioni web.
Formazione continua
Unlock Security investe continuamente nella formazione del personale per garantire un aggiornamento costante sui principali temi di cyber security.

Poniamo estrema attenzione al dettaglio per un report completo ed efficace

Image link
Rapporto Esecutivo
Sommario dei risultati ottenuti che riporta dettagli ad alto livello delle vulnerabilità, con lo scopo di fornire una panoramica dello stato di sicurezza del target.
Suggerimenti per il patching
Suggerimenti per gli sviluppatori sui rimedi che è possibile applicare per risolvere la problematica segnalata.
Dettaglio tecnico
Dettagli delle vulnerabilità individuate e dei relativi impatti sul sistema target. Permette agli sviluppatori di comprendere la problematica e il suo impatto.
Report multilingue
Possibilità di realizzare l'intero report sia in lingua italiana che in quella inglese.
Rapporto Esecutivo
Sommario dei risultati ottenuti che riporta dettagli ad alto livello delle vulnerabilità, con lo scopo di fornire una panoramica dello stato di sicurezza del target.
Suggerimenti per il patching
Suggerimenti per gli sviluppatori sui rimedi che è possibile applicare per risolvere la problematica segnalata.
Dettaglio tecnico
Dettagli delle vulnerabilità individuate e dei relativi impatti sul sistema target. Permette agli sviluppatori di comprendere la problematica e il suo impatto.
Report multilingue
Possibilità di realizzare l'intero report sia in lingua italiana che in quella inglese.

Supportiamo gli sviluppatori nelle diverse fasi di patching delle vulnerabilità

Image link
1
Presentazione
Organizziamo un incontro per presentare e dettagliare il report di sicurezza in ogni sua parte.
2
Validazione
Valutiamo e validiamo il piano proposto dagli sviluppatori per evitare errori nella fase di patching e ottimizzare i tempi di risoluzione.
3
Implementazione
Gli sviluppatori implementano la strategia concordata in fase di validazione e applicano le patch.
4
Verifica
Replichiamo gli attacchi per verificare la corretta implementazione del piano di patching.
1
Presentazione
Organizziamo un incontro per presentare e dettagliare il report di sicurezza in ogni sua parte.
2
Validazione
Valutiamo e validiamo il piano proposto dagli sviluppatori per evitare errori nella fase di patching e ottimizzare i tempi di risoluzione.
3
Implementazione
Gli sviluppatori implementano la strategia concordata in fase di validazione e applicano le patch.
4
Verifica
Replichiamo gli attacchi per verificare la corretta implementazione del piano di patching.

Ti offriamo un servizio di sicurezza che rispetta le necessità del tuo business

Image link
Analisi del codice sorgente
Possibilità di affiancare le analisi di sicurezza standard a un'analisi più approfondita basata sul codice sorgente.
Accesso ai risultati in tempo reale
Abbiamo ideato una soluzione ad-hoc per fornire accesso in tempo reale ai risultati ottenuti durante i test di sicurezza.
Attività continuative
Offriamo la possibilità di effettuare i test di sicurezza in modo continuativo garantendo una sicurezza duratura nel tempo.
Richieste particolari?
Siamo a completa disposizione per accogliere eventuali nuove proposte di modulazione del servizio per soddisfare le tue esigenze.
Analisi del codice sorgente
Possibilità di affiancare le analisi di sicurezza standard a un'analisi più approfondita basata sul codice sorgente.
Accesso ai risultati in tempo reale
Abbiamo ideato una soluzione ad-hoc per fornire accesso in tempo reale ai risultati ottenuti durante i test di sicurezza.
Attività continuative
Offriamo la possibilità di effettuare i test di sicurezza in modo continuativo garantendo una sicurezza duratura nel tempo.
Richieste particolari?
Siamo a completa disposizione per accogliere eventuali nuove proposte di modulazione del servizio per soddisfare le tue esigenze.

FAQ

Web security is a matter of the utmost importance for those who manage a website, regardless of it being an e-commerce, a personal blog or a corporate platform. In this section, we answer some of the most frequently asked questions.

It is important to run security tests on your website because they help identify potential vulnerabilities that might be exploited by attackers to access your sensitive data or compromise your website. Security tests can help you protect your website, its users and your company from this kind of attacks.

Website security can include different operations, such as scanning your website source code to look for known vulnerabilities, running penetration tests to simulate different kinds of attacks and test the strength of your website against them, and analyzing the server configuration to ensure that it is secure.

It is important to run regular security tests to ensure that your website is protected against the emerging websecurity threats and to keep the trust of your users.

In order to undergo our Web Security service and be secured, your website should meet the following requirements:

  • Your website should be made accessible via the Internet or through private network, regardless of it being a production, development, or testing environment.
  • We will need all the necessary information to access the website, such as the IP address, any usernames and passwords. These data will be used by our cybersecurity experts to access the website and simulate a cyberattack.

If your website meets these requirements, our service will allow you to test its security and find any potential vulnerabilities.

In terms of web security, our service offers several advantages compared to automated scanning. In particular, our Web Security service simulates a cyberattack to detect any weaknesses and vulnerabilities.

Besides, our service provides a more accurate security assessment compared to any web security scan, since it is based on the simulation of real cyberattacks, similar to those that would be carried out by real hackers. Moreover, our experts offer an evaluation of the consequences and the impacts of cyberattacks on your business, helping you define your priorities and the security measures that you should adopt.

Finally, our Web Security service can be customized based on the specific needs of your business, providing a more accurate and precise assessment of the security situation.

There are 3 kinds of common penetration tests, known as "white box", "gray box" and "black box". These are the main differences between these 3 kinds of tests:

  • White box: when performing a "white box" penetration test, testers have full access to all the information regarding their target, such as its source code, its database structure and its server configuration. This kind of test grants deeper assessments and better results in terms of vulnerability detection.
  • Gray box: when performing a "gray box" penetration test, testers are given limited access to the information regarding their target. For example, testers may have access to some of the users registered to the platform in order to test the functionalities that require login. This kind of test is usually performed when it comes to simulating cyberattacks from external users that have access to some pieces of information, but not to all of them.
  • Black box: when performing a "black box" penetration test, testers aren't given any information about the target system configuration and they have to find it out on their own. This kind of test is mostly carried out to simulate cyberattacks from users that are completely external and have no information about the target system.

In broader terms, "white box" penetration testing is considered to be the most accurate, since testers have access to all the necessary information to fully understand the system configuration. However, "black box" penetration testing is more useful when it comes to simulating attacks from external users and detecting the vulnerabilities that they could exploit.

The Open Web Application Security Project (OWASP) Web Security Testing Guide (WSTG) contains a set of procedures and guidelines that help developers and testers assess the security of web applications. The WSTG provides a list of security checks to be used when developing and testing web applications to ensure that they are secured against the most common attacks.

The tests from the WSTG can be run at different stages of the web app development process, e.g. during its design, development and testing phases. These tests can include operations like scanning the source code to find any known vulnerabilities, verifying the password security, securing the users' input and verifying the communication security.

The WSTG also provides guidance on how to build a secure testing environment and how to create a comprehensive security testing plan. It is recommended to use the WSTG as a guide to ensure that web applications are secure while being developed and tested.

Yes, our service can include the API (Application Programming Interface) security testing. Applications use the APIs to exchange data and interact through a defined interface. If the APIs are not securely designed and implemented, they can be vulnerable to potential attacks.

If you want a preview of the tests that we run on the APIs, you can take a look to the OWASP API Security Top 10. This is a list of the 10 main security vulnerabilities related to the APIs (Application Programming Interface) that organizations should take into serious account.

The NIST Cybersecurity Framework (CSF) is a set of guidelines designed by the US National Institute of Standards and Technology (NIST) to help organizations manage cybersecurity risks. The CSF provides a set of standards and suggested practices for cybersecurity management that organizations can adopt to secure their systems and data.

The CSF was designed to be flexible and adaptable, so that organizations can use it to adapt their security strategies to their own specific needs. The CSF is divided into 5 categories: Identify, Protect, Detect, Respond and Recover. Each one of these categories includes a set of objectives and guidelines that help organizations manage cybersecurity risks.

The CSF is used by many organizations, both state and private, to secure their systems and data. It is often considered a reference standard for cybersecurity and used as a guidance for developing security policies and procedures.