Jack Gooday, Ethical Hacker at NEBRC

Updated: Oct 15, 2021

discusses in the following blog the Web App Vulnerability Assessment Services

If your business has a website online, you may be vulnerable to cybercrime. SMEs often don’t think they’re a target to cybercrime – why would cybercriminals want to attack us? But hackers are aware that SMEs can have little or no knowledge of security, alongside small budgets, meaning that they are prime targets for easy attacks. Hackers are able gain access to internal systems through a vulnerable website, infecting them with viruses or ransomware, encrypting files and demanding payment.

The NEBRC provides two types of Web Application Vulnerability Assessments, which aim to identify vulnerabilities in your website and help you to fix these weaknesses before the bad guys find them. This allows you the assurance that your website is meeting industry-standard security guidelines to keep your business safe from cybercriminals.

The two types of Web Application Vulnerability Assessments that the NEBRC offer are:

1. The Light Web Application Vulnerability Assessment

this Assessment is intended as a rapid and cost-effective first step to understand the resilience and current weaknesses of your website. It does what it says on the tin: if you have never had your website tested before, it will identify any major gaping holes in your web security and catch them before a cyber-criminal might. It will not identify everything, but it is a great place to start to assess your website’s security to give you an introduction to your current risk position.

We will perform several industry-recognised tests against your website to help you to understand more about the characteristics of your website’s security. This service comes with technical findings, supported by non-technical explanations to aid your understanding. We will give an overview of what security measures you have, what security measures you’re missing, and give you the guidance for the next steps needed to start to increase the security of your website.

This service can be offered free of charge if chosen as a bolt on as part of our membership packages. To view these packages, visit www.nebrcentre.co.uk/membership

However, for more assurance and a fuller analysis of your website's security, we recommend the full web application vulnerability assessment.

2. The Full Web Application Vulnerability Assessment

will give you the assurance you need to be confident that your website is secure. Compared to the light web assessment, we will dig much deeper into your website over a number of days, using additional tools and techniques to analyse and scope the resilience of your website in even greater depth.

Based on best practice industry standards, your website will be tested in great detail against each of the OWASP top 10 testing criteria against the top 10 vulnerabilities in web applications. These are designed to identify websites’ most common weaknesses which may be open to attack from cybercriminals. Testing against the OWASP top 10 is the most effective way to reduce vulnerabilities in your website, helping to secure your business from cyber-attack. All testing and findings against each of the OWASP top 10 will be recorded in a detailed report, with thorough recommendations for how you can improve the security of your website. This will give you a really solid security foundation to protect your website and ensure that hackers have a very hard time trying to break into your system.

It’s worth noting that this service will vary in price depending on the complexity of your website, meaning a scoping call will be arranged prior to this assessment being performed to fully discuss your needs and associated costs.

Both assessments are carried out by trained ethical hacking students, supervised by a senior ethical hacker, with lots of experience conducting testing for businesses. They also come with full support from the NEBRC to answer your questions at every step.

It is important to remember that these are vulnerability assessments, not penetration tests. We find weaknesses but will not try to exploit them, in order to ensure interaction with your system is kept to a minimum.

All vulnerability assessments are supported with back-out and recovery plans agreed in advance to minimise risk and disruption to your web services. If you were interested in a penetration test, the NEBRC have a network of Trusted Partners that can offer this.

If you have any queries relating to what has been discussed in this blog, please contact a member of the NEBRC team by emailing enquiries@nebrcentre.co.uk. To view the NEBRC’s range of Services, please visit www.nebrcentre.co.uk/student-services.