Play real money casino games on the leading online casinos and online poker rooms
- Understand the Requirements
- What parts of the application are included in the test? Just the Internet-facing application, or perhaps an internal administration system too? How sensitive is the data stored in the site? Are there any particular threats that you're worried about? These issues affect how technical vulnerabilities translate to real-world risks. What security decisions have already been made about the site, for example, does it use SSL? Also, how security aware are the developers? I will offer guidance here, and if the requirements are particularly unclear, recommend security consultancy to help you.
- Arrange Technical Details
- Usually testing will be conducted against a development copy of the live application. It is also possible to test the live site, although I advise against this in most circumstances. You will need to arrange my access to the application, usually by opening up a firewall rule for my source IP address. If the application has user accounts, I will need test accounts to work with. I'll also need contact details for a developer I can speak to during testing, in case any queries arise.
- Perform Testing
- To conduct the test, I access the site in the same way as a legitimate user. I go through the site, identifying components such as dynamic pages, forms and Ajax callbacks. I then make deliberately invalid requests to each component, to check for weaknesses. To get an idea of the vulnerabilities I'm looking for, see the checklist. This is predominantly a manual process, although I use open-source tools to assist me.
- Communicate Results
- I will produce a report outlining the results. This starts with a high-level assessment intended for non-technical people. Essentially answering the question "is there anything we need to fix urgently?" There is then a more detailed section aimed at technical people. This describes any problems found, with links to Internet references and guidance on fixing the problem. I strongly recommend having a follow-up conference call as well, where the report is discussed between interested parties, and I'm available to answer questions. I'm also available to answer questions by email.
Interested?
If you're interested in getting a quote for a web application security test, please 
email me. If the site is already online, let me know the URL. Otherwise, provide a brief description of the site. If you'd like to discuss this on the phone, include your phone number and time zone.