Skip to Main Content
Strengthen your email security practices with 50% off e-learning | Shop now
Web Application Penetration Test

Web Application Penetration Test

SKU: 3185
Format: Consultancy

This CREST consultant-driven penetration test is designed to identify potential vulnerabilities in your websites and web applications and provide recommendations for improving your security posture.

This test can be used to help meet the requirements of the PCI DSS and ISO 27001. 

Buy now, pay later! Enjoy the benefits of paying by purchase order with an IT Governance corporate account.  Apply online today or call our service centre team on 00 800 48 484 484.

 COVID-19: remote delivery options

We would like to reassure our clients that all training and consultancy services will go ahead as scheduled during the current COVID-19 situation. As a company that fully embraces flexible and remote working, we are adjusting our delivery methods to allow us to provide consultancy services, penetration tests and training remotely where necessary. Please also refer to our COVID-19 policy.

For more information about this service or to get a tailored quote for your organisation, please enquire below and one of our experts will be in touch shortly.Enquire about this service

IT Governance’s Web application penetration testing is built upon an established bespoke methodology based primarily upon the OWASP Top 10 Application Security Risks 2017. This approach will emulate the techniques of an attacker, using many of the same readily available tools. This enables a full assessment of the key components of the web applications and supporting infrastructure.

Once identified, the vulnerabilities are presented in a format that allows an organisation to assess their relative business risk and the cost of remediation.

Your challenge

The security of web applications is of paramount importance to business continuity and integrity. While traditional firewalls and other security controls are an important security layer, they can’t defend or alert you to many of the attack vectors specific to web applications.

Our service offering

  • Careful scoping of the application to establish the exact extent of the testing exercise. 
  • A range of manual tests closely aligned with the OWASP methodology. 
  • A series of automated vulnerability scans. 
  • Immediate notification of any critical vulnerabilities to help you take action quickly. 
  • A detailed report that identifies and explains the vulnerabilities (ranked in order of significance). 
  • A list of recommended countermeasures to address any identified vulnerabilities. 
  • An executive summary that explains what the risks mean in business terms. 


Our penetration tests will help you to:

  • Gain real-world insight into your vulnerabilities;
  • Keep untrusted data separate from commands and queries;
  • Develop strong authentication and session management controls;
  • Improve access control;
  • Discover the most vulnerable route through which an attack can be made; and
  • Find any loopholes which could lead to the theft of sensitive data.

Service conditions

  • The standard price is applicable for a single web application and database with up to 100 static web pages, or dynamic web pages using no more than five templates, or a combination of the two.
  • Testing will be conducted with a single level of authentication.
  • The site will be scanned as an unauthenticated user, then rescanned as an authenticated user.
  • Testing will not include file upload testing.
  • This test is available as either an internal or an external test.
  • Consultant expenses related to travelling, etc. are not included in the price.
  • On-site presentation of report findings and remedial consultations can be provided upon request at an additional cost.
  • Discounts for multiple tests only apply when a two- or three-year contract is agreed at the purchase of the first test; discounts cannot be backdated. Each penetration test will be invoiced annually (in the year of the test). An invoice will be issued 28 days before the planned test.
  • The quoted price applies to testing during regular office hours. An additional charge will be incurred for tests conducted outside of regular office hours (9:00 to 17:30 GMT).
Why IT Governance?

Why choose us?

  • Penetration tests should only be carried out by experienced consultants with the necessary technical skill set and qualifications. Our consultants have strong technical knowledge and a proven track record in finding security vulnerabilities and can carry out exploits in a safe manner and advise on appropriate mitigation measures to ensure that your systems are secure.
  • Our CREST (Certified Register of Ethical Security Testers) certified penetration testing team will provide you with clarity, technical expertise and peace of mind knowing that your web application has been reviewed by experienced testers in line with your business requirements.
  • For Azure clients, our penetration tests comply with the Microsoft Rules of Engagement . This means we take care to limit all penetration tests to your assets, thereby avoiding unintended consequences to your customers or your infrastructure.

Require a level 2 penetration test?

We’ve designed our standard packages to be easy and affordable, but if you are unsure of your requirements, or your needs are more complex and involve attempting to exploit the identified vulnerabilities, please call us to discuss. Our consultants can answer your questions and make the process painless. If you would like to talk to one of our testers or meet with them, we would be happy to arrange this for you.

Contact us

Customer Reviews