Web Apps and APIs
"23.5% of all observed attacks involved exploitation of public-facing applications, while web compromise represented 9% of initial infection vectors in 2024 (up from 5% in 2023). These attacks targeted internet-exposed applications, providing attackers with an entry point to move laterally, exfiltrate data, and deploy additional payloads."
- Mandiant M-Trends 2025 Report
Web applications and APIs drive customer engagement and enable critical business workflows, from e-commerce transactions to partner integrations. We assess how application security protects these business-critical interactions, ensuring customer trust and operational integrity. Our consultants evaluate risks to business processes, identifying vulnerabilities that could impact customer experience and business operations.
- An efficient and cost-effective method of testing web applications and APIs combining the detail of Secure Code Review and the assurance of a practical 'hands on' testing. It is colloquially referred to as 'white-box' testing as the consultant will have a view of the internal workings of the application.
- The consultant will conduct the penetration test using the source code as a guide, inspecting the underlying logic of key functionality, increasing their ability to efficiently identify otherwise hard to spot vulnerabilities.
- Less time is spent in speculative testing and the tester can get right to the core issues and provide remediation advice in far greater detail with code samples and examples that exactly match your language and framework
- NOTE: Commissioning a CAPT typically results in a reduced scope (read, cheaper for you) due to the greater efficiency of evaluating an application with source code available.
- This type of test differs from full Secure Code Review in that the consultant will not be reviewing the entire code base, but will instead be focusing on the key areas of the application that are most likely to be exploited by an attacker. Reporting will be tailored towards OWASP vulnerabilities and less emphasis will be placed on code quality and best practices.
- This is the 'standard' method of application testing where the consultant will assess the application with no knowledge of the internal workings.
- Whilst this is an effective method of testing, it lacks the efficiency of a code assisted test, and can often miss vulnerabilities that are only present when the application is used in a specific way.
- This reduction in efficiency is a result of the tester performing speculative testing and manually and iteratively attempting to understand much of the application logic and functionality.
Resources
- OWASP Top 10
- Open Source Security Testing Methodology Manual (OSSTMM)
- White-Box Testing
- Black-Box Testing
Our Mission
To provide continuous external attack surface visibility and expert penetration testing services that enable organisations to proactively defend against cyber threats.