S.No Feature Free Vulnerability Assessment Application Penetration Test
1 Initial vulnerability scan
2 High-Level Validation of Critical Findings
3 Communicate most risky issues to Client
4 High-Level Findings Report
5 Consultation with Application Security Expert
6 Confirmation of remediation
7 Manual Application Assessment
8 Attempt non-privileged user rights escalation
9 Full OWASP Top 10 Analysis
10 Vulnerability Scan of underlying systems
11 Detailed findings report
12 Multiple consultations with Application Security Experts
13 Consultation with 3rd party Application Developers
14 Detailed information on Issue Remediation
Vulnerability Scan – An automated tool that ‘crawls’ through a web application looking for vulnerabilities.

Our Free Vulnerability Assessment – May or may not use a scan as a starting point and involves an application security expert analyzing the target, weeding out false positives and highlighting/prioritizing the most important issues.
WAFs, like their network-based counterparts, provide a valuable measure of protection IF they are configured properly. However, like a network firewall, the danger lies in what they allow to pass through. WAFs don’t automatically adapt to the underlying application and need to be heavily customized to each input screen (and maintained when those screens are updated) to be effective. What usually ends up happening is that WAFs are deployed with default settings, which provide some level of increased security but fail to live up to the full capability of the technology.
Yes, these providers do have great security. They are, however, providing infrastructure akin to a well-crafted automobile. Think of your web application as the driver of that automobile. If it drives into a wall at 55 miles/hour, the results will be catastrophic.

The applications built on these excellent platforms host your company’s/customer’s data, confidential business processes, and competitive edge. If the application is vulnerable, the underlying platform that ensures its availability to authorized users will not differentiate providing that same availability to unauthorized ones.
You may not. If your website serves primarily as an Internet-accessible brochure, you trust the maintainers to have good backups and you run regular scans to check for new vulnerabilities, then we wouldn’t recommend a security assessment.

If, however, your website provides some important business function, process automation, or customer service –then you probably do. This is why standards like PCI, HIPAA, COBIT, etc. require periodic security assessments. Web applications can be complex and typically involve multiple building blocks not authored by the application creator. With all these additional components and complexity comes inherent risk and an imperative to quantify that risk.
There is! The Open Web Application Security Project (OWASP) publishes research, training material, and updates on modern web application attack methods and classes of vulnerabilities. CyberEye uses this, among other sources, to guide our penetration testing activities. Your web application developers can leverage the same resource to inform them of security pitfalls while coding.